Re: Interesting auth attempts with unusual user agent string

[Frank Barton <bartonf () HUSSON EDU>]

We just opened up O365, but we are using federated logins... they come back
to us via ADFS for login

We had a rash of people getting locked out thanks to one IP in Germany, but
then we activated ADFS lockouts that are more stringent than AD, so ADFS
will lock out the account after a few failed attempts, and won't even pass
the attempts on to AD.

Frank

On Mon, Apr 6, 2020 at 3:58 PM Snook, Allen <asnook () messiah edu> wrote:

> You got off easy.  J
>
>
>
> The only good protection I have seen is to implement MFA for all
> accounts.  Though with everyone working from home the rollout for that
> would be crazy right now.  We are planning for Summer break currently.
>
>
>
> Regards,
>
>
>
> *Allen A. Snook - CISSP*
>
> Director of Information Security
>
> CCNP
>
> [image: cid:part2.C84B68C8.50548032@messiah.edu]
>
>
>
> *From:* The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Jim A. Bole
> *Sent:* Monday, April 6, 2020 3:50 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Interesting auth attempts with unusual user
> agent string
>
>
>
> [image: [***CAUTION*** This email originated from outside of Messiah
> College]]
>
> Thanks Allen,
>
>
>
> The attack ended early Sunday for us. We had about 250+ attempts over a 24
> hour period. Not huge but definitely unusual.
>
>
>
> Jim
>
>
>
>
>
> *From:* The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Snook, Allen
> *Sent:* Monday, April 6, 2020 3:43 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: Interesting auth attempts with unusual user agent string
>
>
>
> This email originated from outside of Stevenson University. Use caution
> with links or attachments unless you know the content is safe.
>
> We are also seeing this same spike,  we have had several accounts
> compromised because of it.  Office 365 has the strangest of way of locking
> an account for bad passwords and some times an attacker can try hundreds of
> thousands of failed passwords before an account will get locked if at all.
>
>
>
> Regards,
>
>
>
> *Allen A. Snook - CISSP*
>
> Director of Information Security
>
> CCNP
>
> [image: cid:part2.C84B68C8.50548032@messiah.edu]
>
>
>
> *From:* The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Jim A. Bole
> *Sent:* Saturday, April 4, 2020 8:54 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] Interesting auth attempts with unusual user agent
> string
>
>
>
> [image: [***CAUTION*** This email originated from outside of Messiah
> College]]
>
> I'm seeing a spike in some interesting auth failures to O365 with the user
> agent string "Outlook-iOS/723.4027091.prod.iphone (4.28.0)"
>
> These attempts are similar to the now steady stream of IMAP4 failures.
>
> Anyone have any info on this, especially the user agent string. It appears
> to be a developer API.
>
> This activity started Friday and is ongoing.
>
> Thanks.
>
> Jim Bole
> Director of Information Security
> Stevenson University
> 1525 Greenspring Valley Road
> Stevenson, MD, 21153-0641
> jbole () stevenson edu | O: 443-334-2696
>
>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C50ff8b0d6a354e774a8908d7da62c604%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637217990083652639&sdata=MLmYb4lUQtMtHgbALGZd7Qi%2Bwgd9eOmpWOSE7300mp8%3D&reserved=0>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C50ff8b0d6a354e774a8908d7da62c604%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637217990083662632&sdata=tKNzlrF4kZqxtRTv1SzzHr01%2Fw5wnk6F09ANrfJfL0U%3D&reserved=0>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community


-- 
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University
PGP Key Fingerprint: 0249DC644EC78D2F6B5CD2C6C94D3EDB57946437

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community