Re: Spike in O365 risky "unfamiliar" sign-ins?

[Josh Grier <jgrier () WESTERN EDU>]

Jim,
I just took a look at our sign-ins and I'm seeing a lot of unfamiliar locations, mostly South Korea, but all of the 
listed IP's are owned by Microsoft.

Josh Grier
Information Technology Services
Western Colorado University
970.943.3107

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jim A. Bole
Sent: Friday, September 13, 2019 8:25 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Spike in O365 risky "unfamiliar" sign-ins?

NOTICE: This email originated from outside of the University. Do not click links or open attachments unless you 
recognize the sender and know the content is safe. Thank you, Western IT Services.
In the past 24 hours we saw a spike in "unfamiliar" sign-in alerts on our O365 tenant.

We are still investigating, but we have some indications in might be due to Microsoft's recent change in their 
algorithm:

https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Presenting-the-new-Unfamiliar-Sign-in-Properties/ba-p/779978

Is anyone else seeing this?


Jim Bole
Director of Information Security
Stevenson University
1525 Greenspring Valley Road
Stevenson, MD, 21153-0641
jbole () stevenson edu<mailto:jbole () stevenson edu> | O: 443-334-2696



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community