If you use O365, you need to learn about password spray. Want to see some campaigns against you? Try #AzureSentinel--you can connect your O365 data for free. Here are some common patterns.
👇👇👇
👇👇👇
Attacker uses a formulaic Microsoft Office User Agent string. 
Attacker using IMAP interface. Look for CBAInPROD from invalid login sources.
🔗gcits.com/knowledge-base…
🔗gcits.com/knowledge-base…
Attacker using a dictionary of mobile browser User Agent strings.
I will put the Azure Sentinel query in the #AzureSentinel github repo, but in the meantime here it is: gist.github.com/JohnLaTwC/5eb2…
Here is a query that looks for attackers successfully guessing a password. You can see the AAD error code changes to 50057 when they guess the cred (b/c the account is disabled). It also calculates the distance b/w the attacker IP and a "headquarters" IP (rosettacode.org/wiki/Haversine…)
This query shows which accounts are being tried by location. Even if you are not currently being targeted by a sophisticated actor, password spray is part of Internet Radiation. There is a long tail of IPs used to sneak under the radar of volumetric detections.
Use of invalid/rare UA strings is a time honored technique for seeing malicious activity. Like this use of Zune:
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; 𝗭𝘂𝗻𝗲 3.0)"
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; 𝗭𝘂𝗻𝗲 3.0)"
• • •
Missing some Tweet in this thread? You can try to
force a refresh
