Educause Security Discussion mailing list archives
Re: Interesting auth attempts with unusual user agent string
From: Frank Barton <bartonf () HUSSON EDU>
Date: Mon, 6 Apr 2020 16:02:38 -0400
We just opened up O365, but we are using federated logins... they come back to us via ADFS for login We had a rash of people getting locked out thanks to one IP in Germany, but then we activated ADFS lockouts that are more stringent than AD, so ADFS will lock out the account after a few failed attempts, and won't even pass the attempts on to AD. Frank On Mon, Apr 6, 2020 at 3:58 PM Snook, Allen <asnook () messiah edu> wrote:
You got off easy. J The only good protection I have seen is to implement MFA for all accounts. Though with everyone working from home the rollout for that would be crazy right now. We are planning for Summer break currently. Regards, *Allen A. Snook - CISSP* Director of Information Security CCNP [image: cid:part2.C84B68C8.50548032@messiah.edu] *From:* The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Jim A. Bole *Sent:* Monday, April 6, 2020 3:50 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] Interesting auth attempts with unusual user agent string [image: [***CAUTION*** This email originated from outside of Messiah College]] Thanks Allen, The attack ended early Sunday for us. We had about 250+ attempts over a 24 hour period. Not huge but definitely unusual. Jim *From:* The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Snook, Allen *Sent:* Monday, April 6, 2020 3:43 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: Interesting auth attempts with unusual user agent string This email originated from outside of Stevenson University. Use caution with links or attachments unless you know the content is safe. We are also seeing this same spike, we have had several accounts compromised because of it. Office 365 has the strangest of way of locking an account for bad passwords and some times an attacker can try hundreds of thousands of failed passwords before an account will get locked if at all. Regards, *Allen A. Snook - CISSP* Director of Information Security CCNP [image: cid:part2.C84B68C8.50548032@messiah.edu] *From:* The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Jim A. Bole *Sent:* Saturday, April 4, 2020 8:54 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] Interesting auth attempts with unusual user agent string [image: [***CAUTION*** This email originated from outside of Messiah College]] I'm seeing a spike in some interesting auth failures to O365 with the user agent string "Outlook-iOS/723.4027091.prod.iphone (4.28.0)" These attempts are similar to the now steady stream of IMAP4 failures. Anyone have any info on this, especially the user agent string. It appears to be a developer API. This activity started Friday and is ongoing. Thanks. Jim Bole Director of Information Security Stevenson University 1525 Greenspring Valley Road Stevenson, MD, 21153-0641 jbole () stevenson edu | O: 443-334-2696 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C50ff8b0d6a354e774a8908d7da62c604%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637217990083652639&sdata=MLmYb4lUQtMtHgbALGZd7Qi%2Bwgd9eOmpWOSE7300mp8%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C50ff8b0d6a354e774a8908d7da62c604%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637217990083662632&sdata=tKNzlrF4kZqxtRTv1SzzHr01%2Fw5wnk6F09ANrfJfL0U%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
-- Frank Barton, MBA Security+, ACMT, MCP IT Systems Administrator Husson University PGP Key Fingerprint: 0249DC644EC78D2F6B5CD2C6C94D3EDB57946437 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Interesting auth attempts with unusual user agent string Jim A. Bole (Apr 04)
- Re: Interesting auth attempts with unusual user agent string Snook, Allen (Apr 06)
- Re: Interesting auth attempts with unusual user agent string Jim A. Bole (Apr 06)
- Re: Interesting auth attempts with unusual user agent string Snook, Allen (Apr 06)
- Re: Interesting auth attempts with unusual user agent string Frank Barton (Apr 06)
- Re: Interesting auth attempts with unusual user agent string Blake Brown (Apr 06)
- Re: Interesting auth attempts with unusual user agent string Frank Barton (Apr 06)
- Re: Interesting auth attempts with unusual user agent string Blake Brown (Apr 06)
- Re: Interesting auth attempts with unusual user agent string Jim A. Bole (Apr 06)
- Re: Interesting auth attempts with unusual user agent string Snook, Allen (Apr 06)