Educause Security Discussion mailing list archives
Re: Interesting auth attempts with unusual user agent string
From: Blake Brown <Blake.Brown () MHCC EDU>
Date: Mon, 6 Apr 2020 20:46:15 +0000
Thanks! ________________________________ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Frank Barton <bartonf () HUSSON EDU> Sent: Monday, April 6, 2020 1:43 PM To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Interesting auth attempts with unusual user agent string External Email Absolutely! https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-soft-lockout-protection We have the internal ADFS servers, and then the proxy ADFS servers for the extranet login - This ONLY works in that setup. Frank On Mon, Apr 6, 2020 at 4:04 PM Blake Brown <Blake.Brown () mhcc edu<mailto:Blake.Brown () mhcc edu>> wrote: How did you do this "we activated ADFS lockouts that are more stringent than AD" Frank? Something you can share? Thanks, Blake ________________________________ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of Frank Barton <bartonf () HUSSON EDU<mailto:bartonf () HUSSON EDU>> Sent: Monday, April 6, 2020 1:02 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] Interesting auth attempts with unusual user agent string External Email We just opened up O365, but we are using federated logins... they come back to us via ADFS for login We had a rash of people getting locked out thanks to one IP in Germany, but then we activated ADFS lockouts that are more stringent than AD, so ADFS will lock out the account after a few failed attempts, and won't even pass the attempts on to AD. Frank On Mon, Apr 6, 2020 at 3:58 PM Snook, Allen <asnook () messiah edu<mailto:asnook () messiah edu>> wrote: You got off easy. :) The only good protection I have seen is to implement MFA for all accounts. Though with everyone working from home the rollout for that would be crazy right now. We are planning for Summer break currently. Regards, Allen A. Snook - CISSP Director of Information Security CCNP [cid:part2.C84B68C8.50548032@messiah.edu] From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Jim A. Bole Sent: Monday, April 6, 2020 3:50 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Interesting auth attempts with unusual user agent string [[***CAUTION*** This email originated from outside of Messiah College]] Thanks Allen, The attack ended early Sunday for us. We had about 250+ attempts over a 24 hour period. Not huge but definitely unusual. Jim From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Snook, Allen Sent: Monday, April 6, 2020 3:43 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: Interesting auth attempts with unusual user agent string This email originated from outside of Stevenson University. Use caution with links or attachments unless you know the content is safe. We are also seeing this same spike, we have had several accounts compromised because of it. Office 365 has the strangest of way of locking an account for bad passwords and some times an attacker can try hundreds of thousands of failed passwords before an account will get locked if at all. Regards, Allen A. Snook - CISSP Director of Information Security CCNP [cid:part2.C84B68C8.50548032@messiah.edu] From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Jim A. Bole Sent: Saturday, April 4, 2020 8:54 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Interesting auth attempts with unusual user agent string [[***CAUTION*** This email originated from outside of Messiah College]] I'm seeing a spike in some interesting auth failures to O365 with the user agent string "Outlook-iOS/723.4027091.prod.iphone (4.28.0)" These attempts are similar to the now steady stream of IMAP4 failures. Anyone have any info on this, especially the user agent string. It appears to be a developer API. This activity started Friday and is ongoing. Thanks. Jim Bole Director of Information Security Stevenson University 1525 Greenspring Valley Road Stevenson, MD, 21153-0641 jbole () stevenson edu<mailto:jbole () stevenson edu> | O: 443-334-2696 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C50ff8b0d6a354e774a8908d7da62c604%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637217990083652639&sdata=MLmYb4lUQtMtHgbALGZd7Qi%2Bwgd9eOmpWOSE7300mp8%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C50ff8b0d6a354e774a8908d7da62c604%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637217990083662632&sdata=tKNzlrF4kZqxtRTv1SzzHr01%2Fw5wnk6F09ANrfJfL0U%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community -- Frank Barton, MBA Security+, ACMT, MCP IT Systems Administrator Husson University PGP Key Fingerprint: 0249DC644EC78D2F6B5CD2C6C94D3EDB57946437 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community -- Frank Barton, MBA Security+, ACMT, MCP IT Systems Administrator Husson University PGP Key Fingerprint: 0249DC644EC78D2F6B5CD2C6C94D3EDB57946437 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Interesting auth attempts with unusual user agent string Jim A. Bole (Apr 04)
- Re: Interesting auth attempts with unusual user agent string Snook, Allen (Apr 06)
- Re: Interesting auth attempts with unusual user agent string Jim A. Bole (Apr 06)
- Re: Interesting auth attempts with unusual user agent string Snook, Allen (Apr 06)
- Re: Interesting auth attempts with unusual user agent string Frank Barton (Apr 06)
- Re: Interesting auth attempts with unusual user agent string Blake Brown (Apr 06)
- Re: Interesting auth attempts with unusual user agent string Frank Barton (Apr 06)
- Re: Interesting auth attempts with unusual user agent string Blake Brown (Apr 06)
- Re: Interesting auth attempts with unusual user agent string Jim A. Bole (Apr 06)
- Re: Interesting auth attempts with unusual user agent string Snook, Allen (Apr 06)