locked
Account lockouts from attacks on Office 365 Hybrid (Exchange) RRS feed

  • Question

  • We can not be the only ones facing this issue, what are you guys doing??

    We are getting attacks from all over the world, trying to login to our O365 (maybe exchange??).  The accounts are getting locked out, so no one is getting in...yet.

    If this was all on-prem, I would just black list the IP's and move on.  But all the traffic appears to be coming from MS, and the offending IP's and info is inside an xml request.

    We are going to try an 'ClientAccessRule' for Exchange, but that still leaves O365 open.

    How is everyone else doing this?  Surely we are not the only ones.

    P.S. we use OWA, Outlook, SharePoint, Teams, and O365 on-prem(All private IP), and in the world we use phones and vpn (VIP's may demand OWA, but not yet)


    BlankMonkey

    Wednesday, October 17, 2018 10:24 PM

Answers

  • Yes.

    couple notes.  The comments on MFA were off point.  it is enabled, and the accounts are still getting locked out.  This was not about making it more secure, but blocking the attempts.

    Finally, I created a ticket with MS, and they detailed turning off 'BASIC' auth.  this fixed issue.  I have detailed the fix here;

    http://www.udp689.com/2018/10/29/office-365-brute-force-attack/


    BlankMonkey

    • Marked as answer by BlankMonkey Thursday, November 1, 2018 12:00 AM
    Thursday, November 1, 2018 12:00 AM

All replies

  • Hi BlankMonkey,

    You can try to enable multi-factor authentication (MFA) for your Office 365 accounts which will help protect against credential stuffing. Details see: 

    Set up 2-step verification for Office 365

    Best Regards,
    Niko Cheng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Proposed as answer by Niko.Cheng Tuesday, October 23, 2018 2:09 AM
    Thursday, October 18, 2018 2:34 AM
  • Hi,

    Is there any update on this thread? If the issue has been resolved, please mark the helpful replies as answers, this will make answer searching in the forum easier and be beneficial to other community members as well. Thanks for your understanding.


    Best Regards,
    Niko Cheng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Wednesday, October 31, 2018 10:12 AM
  • Yes.

    couple notes.  The comments on MFA were off point.  it is enabled, and the accounts are still getting locked out.  This was not about making it more secure, but blocking the attempts.

    Finally, I created a ticket with MS, and they detailed turning off 'BASIC' auth.  this fixed issue.  I have detailed the fix here;

    http://www.udp689.com/2018/10/29/office-365-brute-force-attack/


    BlankMonkey

    • Marked as answer by BlankMonkey Thursday, November 1, 2018 12:00 AM
    Thursday, November 1, 2018 12:00 AM
  • Go in the azure feedback user voice, and search for:

    Conditional access validated prior to password.

    Unfortunately I cant paste link yet until account is validated.

    I had to create a complex script to avoid user locking due to bots. Shame here is not solution for this... so I wrote this idea in the user vote to have MFA acting before password is parsed, then password is verified.

    Monday, June 3, 2019 2:57 PM