Re: Spike in O365 risky "unfamiliar" sign-ins?

["Jim A. Bole" <jbole () STEVENSON EDU>]

Many thanks for the quick confirmation.

We had a scary start to this Friday the 13th.

Jim

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Hart, Michael
Sent: Friday, September 13, 2019 10:40 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: Spike in O365 risky "unfamiliar" sign-ins?

Yep.  Same here.  I'm going to be working with my team to create a good run book for these events.  A fair percentage 
need to be filtered out, and we need to find a good way of determining the validity of an alert.  As an example, I have 
a faculty member who showed an alert for logging in from South Korea this morning.  I don't know off-hand if she's 
travelling and this is legit, or if her account is compromised.  We'll need to figure out how to do a reasonably fast 
investigation for these events.  I obviously can't just email the individuals, as someone could be intercepting the 
emails.

If anyone has good O365 runbooks, I would appreciate a discussion.


Mike Hart  | CISO, Director of ITS Security, Infrastructure, and Networking
Metropolitan State University of Denver
Information Technology Services
Campus Box 96, P.O. Box 173362, Denver, CO 80217-3362
Admin Building - 1201 5th Street 480E  Denver, CO 80204
303-615-0541 (Office)
303-352-7548 (Help Desk)
mhart20 () msudenver edu<mailto:mhart20 () msudenver edu> | 
www.msudenver.edu/technology<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.msudenver.edu%2Ftechnology&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C06512974ec10432cb19908d738585434%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637039824335954433&sdata=d2H4yIBmp5vKnFj%2BW0snML4H6F%2FAwAPxO1Yr94GQMZY%3D&reserved=0>

[University_Formal_2CPos184x]






From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Jim A. Bole
Sent: Friday, September 13, 2019 8:25 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Spike in O365 risky "unfamiliar" sign-ins?

In the past 24 hours we saw a spike in "unfamiliar" sign-in alerts on our O365 tenant.

We are still investigating, but we have some indications in might be due to Microsoft's recent change in their 
algorithm:

https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Presenting-the-new-Unfamiliar-Sign-in-Properties/ba-p/779978<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-Identity%2FPresenting-the-new-Unfamiliar-Sign-in-Properties%2Fba-p%2F779978&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C06512974ec10432cb19908d738585434%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637039824335954433&sdata=07fnjQd5VQ3xyITtK%2F7R8s8BMAF8kfK6%2FnjVy8mkuqI%3D&reserved=0>

Is anyone else seeing this?


Jim Bole
Director of Information Security
Stevenson University
1525 Greenspring Valley Road
Stevenson, MD, 21153-0641
jbole () stevenson edu<mailto:jbole () stevenson edu> | O: 443-334-2696



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C06512974ec10432cb19908d738585434%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637039824335964424&sdata=bS%2Bdt2Ueb6jlfjFdHovFNJO8PFbN%2F%2FwdL1X7o5QIMbA%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community