Re: Interesting auth attempts with unusual user agent string

[Blake Brown <Blake.Brown () MHCC EDU>]

Thanks!
________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Frank Barton 
<bartonf () HUSSON EDU>
Sent: Monday, April 6, 2020 1:43 PM
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Interesting auth attempts with unusual user agent string

External Email

Absolutely!

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-soft-lockout-protection

We have the internal ADFS servers, and then the proxy ADFS servers for the extranet login - This ONLY works in that 
setup.

Frank

On Mon, Apr 6, 2020 at 4:04 PM Blake Brown <Blake.Brown () mhcc edu<mailto:Blake.Brown () mhcc edu>> wrote:
How did you do this "we activated ADFS lockouts that are more stringent than AD" Frank? Something you can share?

Thanks,
Blake

________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Frank Barton <bartonf () HUSSON EDU<mailto:bartonf () HUSSON EDU>>
Sent: Monday, April 6, 2020 1:02 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] Interesting auth attempts with unusual user agent string

External Email

We just opened up O365, but we are using federated logins... they come back to us via ADFS for login

We had a rash of people getting locked out thanks to one IP in Germany, but then we activated ADFS lockouts that are 
more stringent than AD, so ADFS will lock out the account after a few failed attempts, and won't even pass the attempts 
on to AD.

Frank

On Mon, Apr 6, 2020 at 3:58 PM Snook, Allen <asnook () messiah edu<mailto:asnook () messiah edu>> wrote:

You got off easy.  :)



The only good protection I have seen is to implement MFA for all accounts.  Though with everyone working from home the 
rollout for that would be crazy right now.  We are planning for Summer break currently.



Regards,



Allen A. Snook - CISSP

Director of Information Security

CCNP

[cid:part2.C84B68C8.50548032@messiah.edu]



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Jim A. Bole
Sent: Monday, April 6, 2020 3:50 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Interesting auth attempts with unusual user agent string



[[***CAUTION*** This email originated from outside of Messiah College]]

Thanks Allen,



The attack ended early Sunday for us. We had about 250+ attempts over a 24 hour period. Not huge but definitely unusual.



Jim





From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Snook, Allen
Sent: Monday, April 6, 2020 3:43 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: Interesting auth attempts with unusual user agent string



This email originated from outside of Stevenson University. Use caution with links or attachments unless you know the 
content is safe.

We are also seeing this same spike,  we have had several accounts compromised because of it.  Office 365 has the 
strangest of way of locking an account for bad passwords and some times an attacker can try hundreds of thousands of 
failed passwords before an account will get locked if at all.



Regards,



Allen A. Snook - CISSP

Director of Information Security

CCNP

[cid:part2.C84B68C8.50548032@messiah.edu]



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Jim A. Bole
Sent: Saturday, April 4, 2020 8:54 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Interesting auth attempts with unusual user agent string



[[***CAUTION*** This email originated from outside of Messiah College]]

I'm seeing a spike in some interesting auth failures to O365 with the user agent string 
"Outlook-iOS/723.4027091.prod.iphone (4.28.0)"

These attempts are similar to the now steady stream of IMAP4 failures.

Anyone have any info on this, especially the user agent string. It appears to be a developer API.

This activity started Friday and is ongoing.

Thanks.

Jim Bole
Director of Information Security
Stevenson University
1525 Greenspring Valley Road
Stevenson, MD, 21153-0641
jbole () stevenson edu<mailto:jbole () stevenson edu> | O: 443-334-2696



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C50ff8b0d6a354e774a8908d7da62c604%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637217990083652639&sdata=MLmYb4lUQtMtHgbALGZd7Qi%2Bwgd9eOmpWOSE7300mp8%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C50ff8b0d6a354e774a8908d7da62c604%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637217990083662632&sdata=tKNzlrF4kZqxtRTv1SzzHr01%2Fw5wnk6F09ANrfJfL0U%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


--
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University
PGP Key Fingerprint: 0249DC644EC78D2F6B5CD2C6C94D3EDB57946437

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


--
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University
PGP Key Fingerprint: 0249DC644EC78D2F6B5CD2C6C94D3EDB57946437

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community