Why are Microsoft Data Centres logging in to my Office 365 accounts? Activity Alerts - BAV2ROPC
Hello, I have an activity alert set up to email me whenever a log in is detected from one of my 12 office 365 email users. These emails contain the username logging in and the IP address the log in originated from. Until the end of 2019, all IP addresses were expected, either being that of the office, the Vodafone mobile network or the home addresses of the sales guys. In 2020, I have started getting log in alerts, which according to https://whatismyipaddress.com/ are from Microsoft Datacentres in Ireland, Holland and Austria, all with "Microsoft Corporation" as the ISP and sometimes with the same for the Organisation and sometimes with "Microsoft Azure". e.g 40.101.88.221 (Amsterdam), 40.101.102.149 (Dublin). Worried about potential breaches, I contacted Microsoft Support (who by the way are always ON IT, thank you) who helped me find info in the audit log to say the User Agent is BAV2ROPC, which lead me to this page https://www.reddit.com/r/Office365/comments/bl90gw/bav2ropc_user_agent_in_logs/ where someone's found it means "Business Apps v2 Resource Owner Password Credential", which is apparently the User Agent for an updated version of Outlook Mobile. I have a couple of questions / observations and wondered if anyone could shed any light on this. 1) My users don't know their passwords so it's highly unlikely they've been phished, so I don't think these are breaches. 2) My email account has triggered log ins from Microsoft IP addresses, and I have 2 factor authentication turned on where I received a text message code to my mobile. I have not received texts in relation to these logins, so again I don't think it's a breach. 3) I don't use Microsoft Outlook on my mobile, so don't think I'd be generating this BAV2ROPC user agent (but I am on the Activity Alerts). 4) If it was a device I was using causing this user agent, why aren't the Activity Alerts logging my IP address from my device's location? 5) My account is used to sign in programatically in a piece of software I wrote, so that could explain it for my account, but I'm also getting alerts for users who only access their email on their android phone on the built in email app. 6) The frequency I'm receiving Activity Alerts from Microsoft IP addresses is increasing. I get a few a day now. In summary, I don't think there's anything untoward goin on, but as a responsible admin, I'ld like to understand exactly what's occuring. Many thanks, DaveNinja Cat Giveaway: Episode 5 | Mobile Threat Defense
For this episode, your opportunity to win a plush ninja cat is the following - Reply to this thread with: After assessing this discussion with Yuji, tell us what are at least 3 common attack vectors on mobile devices? This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14 th , 2023, or until supplies are exhausted and is not redeemable for cash. Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.
Boost your Security Posture with a New Password Spray Detection Alert in Microsoft 365 Defender
Microsoft Defender alert policies are crucial for organizations to monitor and detect suspicious activities that may lead to cyber-attacks and data loss. These prebuilt policies help forensic investigators, security teams, and IT admins to detect and respond to potential threats promptly in their organization. What’s new? Microsoft has introduced a new alert to detect ‘Password spray attack originating from single ISP’. This new alert is absolutely a game-changer in cybersecurity, providing an additional layer of security to defend against such attacks. By identifying possible indicators of password spray attacks, organizations can take proactive measures to prevent potential breaches. Check out the blog to know more about how to identify the possible indicators of password spray attacks and the remediation actions. https://blog.admindroid.com/password-spray-attack-detection-with-new-microsoft-365-defender-alert/
AZ-500: Microsoft Azure Security Technologies Study Guide
The AZ-500 certification provides professionals with the skills and knowledge needed to secure Azure infrastructure, services, and data. The exam covers identity and access management, data protection, platform security, and governance in Azure. Learners can prepare for the exam with Microsoft's self-paced curriculum, instructor-led course, and documentation. The certification measures the learner’s knowledge of managing, monitoring, and implementing security for resources in Azure, multi-cloud, and hybrid environments. Azure Firewall, Key Vault, and Azure Active Directory are some of the topics covered in the exam.
