If you use O365, you need to learn about password spray. Want to see some campaigns against you? Try #AzureSentinel--you can connect your O365 data for free. Here are some common patterns.
πππ
Attacker uses a formulaic Microsoft Office User Agent string.
Attacker using IMAP interface. Look for CBAInPROD from invalid login sources.
πgcits.com/knowledge-baseβ¦
Attacker using a dictionary of mobile browser User Agent strings.
I will put the Azure Sentinel query in the #AzureSentinel github repo, but in the meantime here it is: gist.github.com/JohnLaTwC/5eb2β¦
Here is a query that looks for attackers successfully guessing a password. You can see the AAD error code changes to 50057 when they guess the cred (b/c the account is disabled). It also calculates the distance b/w the attacker IP and a "headquarters" IP (rosettacode.org/wiki/Haversineβ¦)
This query shows which accounts are being tried by location. Even if you are not currently being targeted by a sophisticated actor, password spray is part of Internet Radiation. There is a long tail of IPs used to sneak under the radar of volumetric detections.
Use of invalid/rare UA strings is a time honored technique for seeing malicious activity. Like this use of Zune:
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; πππ»π² 3.0)"
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.