![]() ![]() I have also noticed consistent activity from these IP addresses in Cloud App Security. Is there a service running in Exchange Online I am not aware of that signs in on the users behalf? Why would it be using a token granted to a users device? I am trying to understand why there would be a sign in from a Microsoft Exchange Online IP address to one of our accounts that would be attempting to use a token from a users client as per the error message reported? Our Azure AD monitoring solution will report on your Azure AD users, Azure AD risky sign-ins, status of Azure AD health, Azure AD Connect Sync status. It is also common to see these as non-interactive sign ins. Office 365 URLs and IP address ranges - Microsoft 365 Enterprise | Microsoft Docs Detect for Cloud will produce detections as listed above to help analysts find the activity. ![]() Upon investigating the flagged sign ins, the IP addresses used for these are within Microsoft's Exchange Online IP range. Azure AD MFA-Failed Suspicious Sign On O365 Suspicious Sign-On Activity - This step of the attack can sometimes be the noisiest, however with a remote workforce, detecting this activity becomes something simple log searching is not sufficient. For each risky sign in Identity Protection assigns a risk level low, medium, or high. This is normally supposed to flag if a users session token is stolen and replayed. Azure AD Identity Protection can detect risks such as anonymous IP address use, atypical travel, malware linked IP address, unfamiliar sign in properties, leaked credentials, password spray, and more. ![]() I have had a few users in my organization flagged as a "Risky User" due to an anomalous token. ![]() I am trying to understand the following activity. From any one tenant’s view, there are so few login attempts with such poor consistency that the attack is undetectable. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |