M365 Admin Portal > “Security & Compliance” > “Search”>”Audit log search” Learn more about searching the audit log
Audit log search, a great place to start regularly checking for unauthorised User Login Failed attempts. This example shows multiple attempts to login from various locations. None physically possible from this user based in the UK. We suspect there has been a breach where this email address / user name was previously registered. Thankfully, this is now only an Alias used these days on a domain we imported into the tenancy. In addition, we have features like MFA, and failed login attempt setting configured on all users.
There are no more than two attempts tried at each IP address logged. So we have avoided a user account being compromised by using a mix of, basic security login attempt policies, MFA enabled and an Alias.
Where can we see Failed login attempts
Audit Log Search
Audit Log Search > Set Activities / Dates > Search
Next apply a filter
Click >Filter Results> “Activity” = “UserLoginFailed”
After identifying the IP – Next Step, check the IPs out. https://whois.domaintools.com
A quick check on the details confirm it was not possible for one of our live users to be in the locations at the time of the failed logins and the IP addresses also weren’t blacklisted.
“22.214.171.124” – Russia
“126.96.36.199” – New Caledonia
“188.8.131.52” – Brunei
One attempt maybe just a one-off end user error, but multiple attempts and various locations something has been compromised. I would certainly suggest a quick change of password and recreate and App Passwords in use.
Check if the accounts have been pwned. A quick check to see if the account has be pwned https://haveibeenpwned.com/
In this case the account has previously had information “email address” & “Password” compromised.
Now going back to the IP address’s
This example located in Australia. Not blacklisted.
So what are the next options suggestions?
- Conditional Access
- Disable Basic Authentication
We could look at Conditional Access and block locations. However, that doesn’t block basic authentication (from my research, maybe wrong info).
So to help block any brute force basic authentication attempts, we could disable basic authentication, but is there any challenges? So before a blanket disable basic auth, legacy applications would need to be upgraded before disabling basic authentication. Note “Blocking Basic authentication will block app passwords in Exchange Online. For more information about app passwords, see Create an app password for Office 365.”.