Educause Security Discussion mailing list archives
Re: Spike in O365 risky "unfamiliar" sign-ins?
From: "Turnbull, Colin" <cturnbull () EWU EDU>
Date: Fri, 13 Sep 2019 18:05:21 +0000
Possibly unrelated but if you subscribe to the haveibeenpwned domain search, you may want to compare the accounts with those listed in the Chegg data breach. We're seeing a run on those accounts being tested. This includes the use of the MS address space with a South Korea geolocation. Colin Turnbull Sr Manager InfoSec Services & CISO Information Technology cturnbull () ewu edu | 509.359.4985 On 9/13/19 8:28 AM, Jim A. Bole wrote:
Many thanks for the quick confirmation. We had a scary start to this Friday the 13^th . Jim *From:* The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Hart, Michael *Sent:* Friday, September 13, 2019 10:40 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: Spike in O365 risky "unfamiliar" sign-ins? Yep. Same here. I’m going to be working with my team to create a good run book for these events. A fair percentage need to be filtered out, and we need to find a good way of determining the validity of an alert. As an example, I have a faculty member who showed an alert for logging in from South Korea this morning. I don’t know off-hand if she’s travelling and this is legit, or if her account is compromised. We’ll need to figure out how to do a reasonably fast investigation for these events. I obviously can’t just email the individuals, as someone could be intercepting the emails. If anyone has good O365 runbooks, I would appreciate a discussion. *Mike Hart | CISO, Director of ITS Security, Infrastructure, and Networking* *Metropolitan State University of Denver Information Technology Services* Campus Box 96, P.O. Box 173362, Denver, CO 80217-3362 Admin Building - 1201 5^th Street 480E Denver, CO 80204 303-615-0541 (Office) 303-352-7548 (Help Desk) mhart20 () msudenver edu <mailto:mhart20 () msudenver edu> | www.msudenver.edu/technology <https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.msudenver.edu%2Ftechnology&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C06512974ec10432cb19908d738585434%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637039824335954433&sdata=d2H4yIBmp5vKnFj%2BW0snML4H6F%2FAwAPxO1Yr94GQMZY%3D&reserved=0> University_Formal_2CPos184x *From:* The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>> *On Behalf Of *Jim A. Bole *Sent:* Friday, September 13, 2019 8:25 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> *Subject:* [SECURITY] Spike in O365 risky "unfamiliar" sign-ins? In the past 24 hours we saw a spike in “unfamiliar” sign-in alerts on our O365 tenant. We are still investigating, but we have some indications in might be due to Microsoft’s recent change in their algorithm: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Presenting-the-new-Unfamiliar-Sign-in-Properties/ba-p/779978 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-Identity%2FPresenting-the-new-Unfamiliar-Sign-in-Properties%2Fba-p%2F779978&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C06512974ec10432cb19908d738585434%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637039824335954433&sdata=07fnjQd5VQ3xyITtK%2F7R8s8BMAF8kfK6%2FnjVy8mkuqI%3D&reserved=0> Is anyone else seeing this? Jim Bole Director of Information Security *Stevenson University* 1525 Greenspring Valley Road Stevenson, MD, 21153-0641 jbole () stevenson edu <mailto:jbole () stevenson edu> | O: 443-334-2696 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C06512974ec10432cb19908d738585434%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637039824335964424&sdata=bS%2Bdt2Ueb6jlfjFdHovFNJO8PFbN%2F%2FwdL1X7o5QIMbA%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Spike in O365 risky "unfamiliar" sign-ins? Jim A. Bole (Sep 13)
- Re: Spike in O365 risky "unfamiliar" sign-ins? Huang, Maria (Sep 13)
- Re: Spike in O365 risky "unfamiliar" sign-ins? Hart, Michael (Sep 13)
- Re: Spike in O365 risky "unfamiliar" sign-ins? Jim A. Bole (Sep 13)
- Re: Spike in O365 risky "unfamiliar" sign-ins? Turnbull, Colin (Sep 13)
- Re: Spike in O365 risky "unfamiliar" sign-ins? Sonder, Henk E. (Sep 13)
- Re: Spike in O365 risky "unfamiliar" sign-ins? Frank Barton (Sep 20)
- Re: Spike in O365 risky "unfamiliar" sign-ins? Brandon Hume (Sep 20)
- Re: Spike in O365 risky "unfamiliar" sign-ins? Jim A. Bole (Sep 13)
- <Possible follow-ups>
- Re: Spike in O365 risky "unfamiliar" sign-ins? Theodore J. August (Sep 14)
- Re: Spike in O365 risky "unfamiliar" sign-ins? Jim A. Bole (Sep 16)