RaisingAwareness | Stephen Hackers Blog

03/06/2020

Microsoft 365 – Audit Log Search – UserLoginFailed

By Steve in2FA, MFA, Cloud & Datacenter Management, Cloud Security, Cyber Security, Dark Web, Enterprise Security, Enterprise Security, Exchange, Microsoft, Office 365, Office Apps & Services, Security & Compliance, Security & Compliance Tag Activity, Audit Log, CyberSecurity, Email, Filter, M365, Pwned, RaisingAwareness, Search, Security, User Login Failed, UserLoginFailed, Whois

M365 Admin Portal > “Security & Compliance” > “Search”>”Audit log search” Learn more about searching the audit log

https://protection.office.com/unifiedauditlog

Audit log search, a great place to start regularly checking for unauthorised User Login Failed attempts. This example shows multiple attempts to login from various locations. None physically possible from this user based in the UK. We suspect there has been a breach where this email address / user name was previously registered. Thankfully, this is now only an Alias used these days on a domain we imported into the tenancy. In addition, we have features like MFA, and failed login attempt setting configured on all users.

There are no more than two attempts tried at each IP address logged. So we have avoided a user account being compromised by using a mix of, basic security login attempt policies, MFA enabled and an Alias.

Where can we see Failed login attempts

Audit Log Search

Audit Log Search > Set Activities / Dates > Search

Next apply a filter

Click >Filter Results> “Activity” = “UserLoginFailed”

After identifying the IP – Next Step, check the IPs out. https://whois.domaintools.com

A quick check on the details confirm it was not possible for one of our live users to be in the locations at the time of the failed logins and the IP addresses also weren’t blacklisted.

“78.140.7.9” – Russia

“203.147.83.159” – New Caledonia

“119.160.136.138” – Brunei

One attempt maybe just a one-off end user error, but multiple attempts and various locations something has been compromised. I would certainly suggest a quick change of password and recreate and App Passwords in use.

Check if the accounts have been pwned. A quick check to see if the account has be pwned https://haveibeenpwned.com/

In this case the account has previously had information “email address” & “Password” compromised.

Now going back to the IP address’s

This example located in Australia. Not blacklisted.

So what are the next options suggestions?

Conditional Access
Disable Basic Authentication

We could look at Conditional Access and block locations. However, that doesn’t block basic authentication (from my research, maybe wrong info).

So to help block any brute force basic authentication attempts, we could disable basic authentication, but is there any challenges? So before a blanket disable basic auth, legacy applications would need to be upgraded before disabling basic authentication. Note “Blocking Basic authentication will block app passwords in Exchange Online. For more information about app passwords, see Create an app password for Office 365.”.

17/02/2020

Account Hack / Phishing Email Alert / #IR35

By Steve inCyber Security, Phishing, Phishing Email Tag Alert, CyberSecurity, IR35, PhishingEmail, RaisingAwareness

Be careful, if an email account has been compromised, you might receive a genuine looking email which will pass through your spam filter. As an example, I have just received an email from “FirstName.LastName@”Domain Name Remove”.co.uk”. This was confirmed with a quick phone call to the company where I was informed the account had been hacked and I should delete the spam email. This post is just to raise awareness. The companies name is covered intentionally, as is their website.

Some basic warning signs were there:

No branding
No reference or invoice number
Somewhere to click.

Some more interesting features are:

The link – Simply hover over the PDF link to reveal that well known domain “1drv.ms”. A OneDrive shared link, in theory a trusted source, but why not just attach a PDF if the mail is genuine?
The email domain was linked to a genuine company @”Domain Name Removed”.co.uk – this genuine victim being used as a cover.

The target was obviously selected based on a hot topic in the media they deal with.
And the different no_reply@accountpayable.com domain you can purchase was a nice discovery.

16/08/2019

Phishing TEXT Scam

By Steve inCyber Security, Ethical Hacking, Phishing Tag #Fake, +447597009141, CyberSecurity, Phishing, Phishingtxt, RaisingAwareness, Scam

Watch out for the latest Phishing TEXT Scams. This week they are getting a bit lazy and less convincing. This #Fake #Halifax text has just been received. SUSPICIOUS activity!! On an account I don’t have with Halifax, or in this case an account with “hlxdata.online”

> Sent from “+44 7597009141” #Dangerous Rating #O2

> Either not even masking the number or its masked with this bogus number

> HLXdata.online a very catchy web address

+ Check numbers out for SCAM details, start with for the number on Google +Don’t visit sites marked “HLXdata.online” for you large corporate bank +Don’t phone the number on the message. Call the number on the back of your bank card

+ Question everything.

#CyberSecurity #raisingawareness #phishingattack #phishingtext #phishing #Scam #txt #text #Alert

23/07/2019

Phishing Email – TV Licensing – Don’t be a victim

By Steve inCyber Security, Ethical Hacking, Phishing Email Tag CyberSecurity, Email, Fraud, Phishing, PhishingEmail, RaisingAwareness, Security

Watch out for the latest Phishing Email Scams. They are getting ever more convincing. This TV Licensing email just came through.

Sent from “Trusted Sender”

No spelling or grammar issues

Always, catching your eye.

EEEeee I’ve not paid a bill.

ALWAYS ALWAYS hover over the links to view the correct URL address.

Nobody takes payments via clear txt “HTTP”

TV license dont use “soul-rebel.de” A german .de site collecting my TV license these days. Oh reall

DON’T user phone numbers in Phishing emails for verification of a legit email.

Question everything.

Tag RaisingAwareness