One of your users is logging-in from an unknown source, can you automatically challenge them with MFA?

Setting the stage

The Yahoo breach resulted in over a billion user accounts and passwords being stolen. They also got all the secret questions and answers that you enter to reset your password. The attackers were inside, undetected for three years, and got a list of all the "alternate email address" used for a password rest.


Breaking this down

So they got Yahoo users, what does that have to do with my company? Well if my COO had a user like,(that's for you Rob) and had an alternate email address of then it's pretty easy to work out that this email account belongs to Rob Jones who works in your company, and a one second LinkedIn search tells me he is the COO. What are the odds that Rob used his Yahoo email account as his alternate email address for his self-service password reset in O365? Pretty high, and the same password? Who knows. What we do know is the answer to his security questions, and I use the same 3 or 4 everywhere because they are the only ones that apply to me. What are the chances that with access to someone's personal email you could guess his password if you had three years to try it? Pretty good.

Over the last 90 minutes...

Rob is trying to login to his account from Sydney, and he has never been there in his life, nor do you have any offices in Sydney. Would you have any way of knowing this? If you did know this would you have any way to respond automatically to this "risky" event?

There are two questions you need to be able to answer about your users;

  1. Do you know if this user account is for sale on the dark web?
  2. Can you identify that this user is attempting a login that can be classified as "at risk," either because of the location or because the IP address is hidden?

Let's look a little deeper at these two questions, and of course what you can do to mitigate against an attacker who has stolen your user's identities.

By now it should be pretty clear to you that the type of attack listed above is a major threat to your company, and will continue to be for a long time to come. Unless you have some ability to mine the dark web for accounts for sale and use machine learning to cross reference these lists against your O365 AD then you are on the back foot.

The next indication is the location of the login and what the conditions of the login look like. If you do no business in a particular area, or the IP address is being deliberately obfuscated we need to be able to recognize this and take additional security steps to ensure this user is safe and the real user.

What if the correct username and password are being used from a known location on a known device but the IP has been identified as "hot" due to several password brute force attacks originating from this IP in the last five hours.

The Solution

By now you know that I will turn to a Microsoft cloud-based service to save the day, and here is no exception. Azure Active Directory (AAD) Identity Protection AAD - IP.

AAD-IP is hands down my favorite Microsoft security tool. Why? I don't know its there until I need it. AAD-IP is using the power of the Intelligent Security Graph that is being fed with billions of signals every day. My login is against Azure Active Directory, and AAD records the exact location of every login, the device, and a large number of other data points (all of this can be accessed and viewed via the O365 management API, that I am going to write about in a future post. but you can see a short clip of the data a little further on).

AAD-IP is an advanced license for AAD (either AAD P2 or E3/E5 just ask your MS team for help on that part). The tool is very quick to enable and its designed to be easy to understand and onboard users.

The "Sign in risk policy" is my favorite catch-all security policy. The basic outline for this policy is;

  • I applied the policy to all users
  • I require MFA when the login attempt is deemed to be a medium or above security threat

What this means is that any user who is trying to access AAD and the login attempt is classified as "risky" an additional layer of security will be applied to them. The steps we can take are;

  1. Challenge with an MFA request
  2. Block Access and ask to contact the helpdesk


This was first posted on LinkedIn

paul keely