Educause Security Discussion mailing list archives

Re: Spike in O365 risky "unfamiliar" sign-ins?

From: Frank Barton <bartonf () HUSSON EDU>
Date: Fri, 20 Sep 2019 15:32:38 -0400

We've had 10/10 compromised accounts today having been on the chegg list.
and a couple more that are targeted, but haven't gotten in.

Frank

On Fri, Sep 13, 2019 at 7:23 PM Sonder, Henk E. <hsonder () ric edu> wrote:

Colin,

The same here. I have had over a half dozen student accounts in the last
two days and they all show up in the Chegg breach. The geolocations are all
over the place (including Russia, Philippines, Thailand, Indonesia, Greece,
and Saudi Arabia).

Sure this will continue for a while.

Henk E. Sonder
Director Information Security
Rhode Island College
600 Mount Pleasant Ave
Providence, RI 02908
Office: 401-456-9577
Email: hsonder () ric edu

-----Original Message-----
From: The EDUCAUSE Security Community Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Turnbull, Colin
Sent: Friday, September 13, 2019 2:05 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Spike in O365 risky "unfamiliar" sign-ins?

Possibly unrelated but if you subscribe to the haveibeenpwned domain
search, you may want to compare the accounts with those listed in the Chegg
data breach. We're seeing a run on those accounts being tested.
This includes the use of the MS address space with a South Korea
geolocation.

Colin Turnbull
Sr Manager InfoSec Services & CISO
Information Technology
cturnbull () ewu edu | 509.359.4985

On 9/13/19 8:28 AM, Jim A. Bole wrote:

Many thanks for the quick confirmation.

We had a scary start to this Friday the 13^th .

Jim

*From:* The EDUCAUSE Security Community Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Hart, Michael
*Sent:* Friday, September 13, 2019 10:40 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: Spike in O365 risky "unfamiliar" sign-ins?

Yep.  Same here.  I'm going to be working with my team to create a
good run book for these events.  A fair percentage need to be filtered
out, and we need to find a good way of determining the validity of an

alert.

As an example, I have a faculty member who showed an alert for logging
in from South Korea this morning.  I don't know off-hand if she's
travelling and this is legit, or if her account is compromised.  We'll
need to figure out how to do a reasonably fast investigation for these
events.  I obviously can't just email the individuals, as someone
could be intercepting the emails.

If anyone has good O365 runbooks, I would appreciate a discussion.

*Mike Hart  | CISO, Director of ITS Security, Infrastructure, and
Networking*
*Metropolitan State University of Denver Information Technology
Services* Campus Box 96, P.O. Box 173362, Denver, CO 80217-3362 Admin
Building - 1201 5^th  Street 480E  Denver, CO 80204
303-615-0541 (Office)
303-352-7548 (Help Desk)
mhart20 () msudenver edu <mailto:mhart20 () msudenver edu> |
www.msudenver.edu/technology
<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.
msudenver.edu%2Ftechnology&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C0651
2974ec10432cb19908d738585434%7C93599c7168554022bac5141d808346d1%7C0%7C
0%7C637039824335954433&sdata=d2H4yIBmp5vKnFj%2BW0snML4H6F%2FAwAPxO1Yr9
4GQMZY%3D&reserved=0>

University_Formal_2CPos184x

*From:* The EDUCAUSE Security Community Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU
<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
*On Behalf Of *Jim A. Bole
*Sent:* Friday, September 13, 2019 8:25 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
*Subject:* [SECURITY] Spike in O365 risky "unfamiliar" sign-ins?

In the past 24 hours we saw a spike in "unfamiliar" sign-in alerts on
our O365 tenant.

We are still investigating, but we have some indications in might be
due to Microsoft's recent change in their algorithm:

https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity
/Presenting-the-new-Unfamiliar-Sign-in-Properties/ba-p/779978
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftec
hcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-Identity%2FPres
enting-the-new-Unfamiliar-Sign-in-Properties%2Fba-p%2F779978&data=02%7
C01%7Cjbole%40STEVENSON.EDU%7C06512974ec10432cb19908d738585434%7C93599
c7168554022bac5141d808346d1%7C0%7C0%7C637039824335954433&sdata=07fnjQd
5VQ3xyITtK%2F7R8s8BMAF8kfK6%2FnjVy8mkuqI%3D&reserved=0>

Is anyone else seeing this?

Jim Bole

Director of Information Security

*Stevenson University*

1525 Greenspring Valley Road

Stevenson, MD, 21153-0641

jbole () stevenson edu <mailto:jbole () stevenson edu> | O: 443-334-2696

**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww
.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C06512
974ec10432cb19908d738585434%7C93599c7168554022bac5141d808346d1%7C0%7C0
%7C637039824335964424&sdata=bS%2Bdt2Ueb6jlfjFdHovFNJO8PFbN%2F%2FwdL1X7
o5QIMbA%3D&reserved=0>


**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community


**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community



-- 
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Current thread:

Spike in O365 risky "unfamiliar" sign-ins? Jim A. Bole (Sep 13)
- Re: Spike in O365 risky "unfamiliar" sign-ins? Huang, Maria (Sep 13)
- Re: Spike in O365 risky "unfamiliar" sign-ins? Hart, Michael (Sep 13)
  - Re: Spike in O365 risky "unfamiliar" sign-ins? Jim A. Bole (Sep 13)
    - Re: Spike in O365 risky "unfamiliar" sign-ins? Turnbull, Colin (Sep 13)
    - Re: Spike in O365 risky "unfamiliar" sign-ins? Sonder, Henk E. (Sep 13)
    - Re: Spike in O365 risky "unfamiliar" sign-ins? Frank Barton (Sep 20)
    - Re: Spike in O365 risky "unfamiliar" sign-ins? Brandon Hume (Sep 20)
- Re: Spike in O365 risky "unfamiliar" sign-ins? Josh Grier (Sep 13)
- <Possible follow-ups>
- Re: Spike in O365 risky "unfamiliar" sign-ins? Theodore J. August (Sep 14)
  - Re: Spike in O365 risky "unfamiliar" sign-ins? Jim A. Bole (Sep 16)