Re: Spike in O365 risky "unfamiliar" sign-ins?

["Jim A. Bole" <jbole () STEVENSON EDU>]

I'm also seeing a high correlation with compromised Chegg accounts.

So I don't think it was Microsoft change in algorithms that caused the spike. It was an attack against compromised 
Chegg accounts.

I agree this will be an ongoing headache. This current attack found just a small percentage of all our compromised 
Chegg accounts (thanks HIPB).

Is there anything we can do collectively to mitigate future events?

Has anyone provided any notifications to end-users?


Jim Bole
Director of Information Security
Stevenson University
1525 Greenspring Valley Road
Stevenson, MD, 21153-0641
jbole () stevenson edu | O: 443-334-2696



-----Original Message-----
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Theodore J. August
Sent: Saturday, September 14, 2019 11:39 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: Spike in O365 risky "unfamiliar" sign-ins?

Caution!
This email originated from outside of Stevenson University. Do not click links or open attachments unless you recognize 
the sender and know the content is safe.
- Stevenson University OIT
________________________________

I can also confirm that we are seeing this as well.  All of them are on Chegg data breach list that was published in 
mid-August.  Other similarities include that all the flagged logons are using IMAP to connect (so far).  We're updating 
our conditional access policies to catch some of the IP blocks that are coming from hosting services in case they want 
to use something other than IMAP to attempt a logon (which we already have blocked).

My interpretation of what I'm seeing in Azure is that the accounts being marked high-risk are the accounts that have 
had an attempted successful username/password logon attempt that was blocked.  We're getting some medium and low risk 
alerts as well, on the accounts where the username and password on the breach list doesn't match the currently used 
password on the account.

We saw a few from the Microsoft South Korea IP's as well - that one is the most puzzling.

This Chegg breach is going to be a headache for higher-ed.  The unsalted MD5 passwords were probably decrypted very 
quickly by those who had access.

--
Ted August
Network Administrator
Office of Information Technology
Salve Regina University

On 9/13/19, 7:23 PM, "The EDUCAUSE Security Community Group Listserv on behalf of Sonder, Henk E." <SECURITY () 
LISTSERV EDUCAUSE EDU on behalf of hsonder () RIC EDU> wrote:

    Colin,

    The same here. I have had over a half dozen student accounts in the last two days and they all show up in the Chegg 
breach. The geolocations are all over the place (including Russia, Philippines, Thailand, Indonesia, Greece, and Saudi 
Arabia).

    Sure this will continue for a while.

    Henk E. Sonder
    Director Information Security
    Rhode Island College
    600 Mount Pleasant Ave
    Providence, RI 02908
    Office: 401-456-9577
    Email: hsonder () ric edu

    -----Original Message-----
    From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Turnbull, 
Colin
    Sent: Friday, September 13, 2019 2:05 PM
    To: SECURITY () LISTSERV EDUCAUSE EDU
    Subject: Re: [SECURITY] Spike in O365 risky "unfamiliar" sign-ins?

    Possibly unrelated but if you subscribe to the haveibeenpwned domain search, you may want to compare the accounts 
with those listed in the Chegg data breach. We're seeing a run on those accounts being tested.
    This includes the use of the MS address space with a South Korea geolocation.

    Colin Turnbull
    Sr Manager InfoSec Services & CISO
    Information Technology
    cturnbull () ewu edu | 509.359.4985

    On 9/13/19 8:28 AM, Jim A. Bole wrote:
    > Many thanks for the quick confirmation.
    >
    > We had a scary start to this Friday the 13^th .
    >
    > Jim
    >
    > *From:* The EDUCAUSE Security Community Group Listserv
    > <SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Hart, Michael
    > *Sent:* Friday, September 13, 2019 10:40 AM
    > *To:* SECURITY () LISTSERV EDUCAUSE EDU
    > *Subject:* Re: Spike in O365 risky "unfamiliar" sign-ins?
    >
    > Yep.  Same here.  I'm going to be working with my team to create a
    > good run book for these events.  A fair percentage need to be filtered
    > out, and we need to find a good way of determining the validity of an alert.
    > As an example, I have a faculty member who showed an alert for logging
    > in from South Korea this morning.  I don't know off-hand if she's
    > travelling and this is legit, or if her account is compromised.  We'll
    > need to figure out how to do a reasonably fast investigation for these
    > events.  I obviously can't just email the individuals, as someone
    > could be intercepting the emails.
    >
    > If anyone has good O365 runbooks, I would appreciate a discussion.
    >
    > *Mike Hart  | CISO, Director of ITS Security, Infrastructure, and
    > Networking*
    > *Metropolitan State University of Denver Information Technology
    > Services* Campus Box 96, P.O. Box 173362, Denver, CO 80217-3362 Admin
    > Building - 1201 5^th  Street 480E  Denver, CO 80204
    > 303-615-0541 (Office)
    > 303-352-7548 (Help Desk)
    > mhart20 () msudenver edu <mailto:mhart20 () msudenver edu> |
    > 
https://nam04.safelinks.protection.outlook.com/?url=www.msudenver.edu%2Ftechnology&amp;data=02%7C01%7Cjbole%40STEVENSON.EDU%7Cf199f3c4a9c44151f44508d7392b05c9%7C93599c7168554022bac5141d808346d1%7C0%7C1%7C637040729282369448&amp;sdata=r8enU%2Bd%2B6zlh7QFtsT6riumUmqP%2BwMW3yj4aoHH72R4%3D&amp;reserved=0
    > <http://www.
    > msudenver.edu%2Ftechnology&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C0651
    > 2974ec10432cb19908d738585434%7C93599c7168554022bac5141d808346d1%7C0%7C
    > 0%7C637039824335954433&sdata=d2H4yIBmp5vKnFj%2BW0snML4H6F%2FAwAPxO1Yr9
    > 4GQMZY%3D&reserved=0>
    >
    > University_Formal_2CPos184x
    >
    > *From:* The EDUCAUSE Security Community Group Listserv
    > <SECURITY () LISTSERV EDUCAUSE EDU
    > <mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
    > *On Behalf Of *Jim A. Bole
    > *Sent:* Friday, September 13, 2019 8:25 AM
    > *To:* SECURITY () LISTSERV EDUCAUSE EDU
    > <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
    > *Subject:* [SECURITY] Spike in O365 risky "unfamiliar" sign-ins?
    >
    > In the past 24 hours we saw a spike in "unfamiliar" sign-in alerts on
    > our O365 tenant.
    >
    > We are still investigating, but we have some indications in might be
    > due to Microsoft's recent change in their algorithm:
    >
    > 
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-Identity&amp;data=02%7C01%7Cjbole%40STEVENSON.EDU%7Cf199f3c4a9c44151f44508d7392b05c9%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637040729282379442&amp;sdata=%2FHSLXZPY8qEY5Dj6q24Aetu7Szb0tLn5Lr%2FOvicJulE%3D&amp;reserved=0
    > /Presenting-the-new-Unfamiliar-Sign-in-Properties/ba-p/779978
    > <https://tec
    > hcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-Identity%2FPres
    > enting-the-new-Unfamiliar-Sign-in-Properties%2Fba-p%2F779978&data=02%7
    > C01%7Cjbole%40STEVENSON.EDU%7C06512974ec10432cb19908d738585434%7C93599
    > c7168554022bac5141d808346d1%7C0%7C0%7C637039824335954433&sdata=07fnjQd
    > 5VQ3xyITtK%2F7R8s8BMAF8kfK6%2FnjVy8mkuqI%3D&reserved=0>
    >
    > Is anyone else seeing this?
    >
    > Jim Bole
    >
    > Director of Information Security
    >
    > *Stevenson University*
    >
    > 1525 Greenspring Valley Road
    >
    > Stevenson, MD, 21153-0641
    >
    > jbole () stevenson edu <mailto:jbole () stevenson edu> | O: 443-334-2696
    >
    > **********
    > Replies to EDUCAUSE Community Group emails are sent to the entire
    > community list. If you want to reply only to the person who sent the
    > message, copy and paste their email address and forward the email reply.
    > Additional participation and subscription information can be found at
    > 
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&amp;data=02%7C01%7Cjbole%40STEVENSON.EDU%7Cf199f3c4a9c44151f44508d7392b05c9%7C93599c7168554022bac5141d808346d1%7C0%7C1%7C637040729282379442&amp;sdata=jhHFTwDQDRTNFXMP8u3Q9IeLirrlaXZeS%2Bgf2XHHZhk%3D&amp;reserved=0
    > <https://www
    > .educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C06512
    > 974ec10432cb19908d738585434%7C93599c7168554022bac5141d808346d1%7C0%7C0
    > %7C637039824335964424&sdata=bS%2Bdt2Ueb6jlfjFdHovFNJO8PFbN%2F%2FwdL1X7
    > o5QIMbA%3D&reserved=0>
    >
    >
    > **********
    > Replies to EDUCAUSE Community Group emails are sent to the entire
    > community list. If you want to reply only to the person who sent the
    > message, copy and paste their email address and forward the email reply.
    > Additional participation and subscription information can be found at
    > 
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&amp;data=02%7C01%7Cjbole%40STEVENSON.EDU%7Cf199f3c4a9c44151f44508d7392b05c9%7C93599c7168554022bac5141d808346d1%7C0%7C1%7C637040729282379442&amp;sdata=jhHFTwDQDRTNFXMP8u3Q9IeLirrlaXZeS%2Bgf2XHHZhk%3D&amp;reserved=0
    >

    **********
    Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&amp;data=02%7C01%7Cjbole%40STEVENSON.EDU%7Cf199f3c4a9c44151f44508d7392b05c9%7C93599c7168554022bac5141d808346d1%7C0%7C1%7C637040729282379442&amp;sdata=jhHFTwDQDRTNFXMP8u3Q9IeLirrlaXZeS%2Bgf2XHHZhk%3D&amp;reserved=0

    **********
    Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&amp;data=02%7C01%7Cjbole%40STEVENSON.EDU%7Cf199f3c4a9c44151f44508d7392b05c9%7C93599c7168554022bac5141d808346d1%7C0%7C1%7C637040729282379442&amp;sdata=jhHFTwDQDRTNFXMP8u3Q9IeLirrlaXZeS%2Bgf2XHHZhk%3D&amp;reserved=0

    *** This message was not sent from a Salve Regina University e-mail address. Please exercise caution when 
responding, clicking on links or opening attachments. ***



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&amp;data=02%7C01%7Cjbole%40STEVENSON.EDU%7Cf199f3c4a9c44151f44508d7392b05c9%7C93599c7168554022bac5141d808346d1%7C0%7C1%7C637040729282379442&amp;sdata=jhHFTwDQDRTNFXMP8u3Q9IeLirrlaXZeS%2Bgf2XHHZhk%3D&amp;reserved=0

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community