Alert on successfull password login but when MFA fails, and from a suspicious IP/country
T
Thomas Waterhouse
Twice this week I have seen where hackers have gained a users password and the sign in logs in 365 show they tried it and it was successful, but failed to complete MFA so didn't get in. The sign ins were from new IPs, overseas and completely out of character. If the login succeeded we'd likely have received an alert from Huntress about an unusual country login at the least, but we don't seem to when the login didn't complete. Yet we definitely want to know about these ones, this means hackers have the users password even if they didn't actually get into 365 with it, and we still need to change it.
We only knew about the two this week due to 365 itself alerting us through Lighthouse about a risky sign in.
Surely firstly Huntress can see these logins just from the sign in logs and alert us, but secondly does it not monitor the 365 risky sign ins feature? I'd have thought that was easy and essential.
Troy Gerrie
I was a bit disappointed to find that this wasn't a think with Huntress as we otherwise have full trust in the system.
I would flag that this should be for any failure, not just MFA. We are seeing instances whereby a compromised password is being tested but blocked by a geo blocking CA policy.
Our security provider should be able to tell us these credentials have been compromised.
Another suggestion is to ingest the risky user information from Microsoft 365
B
Bjørn Mathisen
The system wouldn't even need to alert immedately, but could correlate it with other markers. If a completely new IP subnet / location is being used, then a successful password use followed by a failing MFA attempt should be more likely to trigger an escalation.
Autopilot
Merged in a post:
Alert for Correct Password but Failed MFA Attempt
T
Test User
Add an alert trigger for login attempts where a user enters the correct password but fails multi-factor authentication (MFA). This would help identify potential account compromise attempts where an attacker has obtained valid credentials but cannot complete the MFA step.
A
Adam Kemp
This was posted on Reddit, they said the reason was to reduce noise but a lot of us said how we wanted to know so I think something is in the works. They also posted a SIEM scheduled report that can be used in the meantime.
T
Thomas Waterhouse
I posted about this a couple of weeks ago too. It is crazy that 365/lighthouse alerts us to these often with a risky user alert, but Huntress does nothing
C
Chris Moore
This is the exact reason I chose to go with Blackpoint over Huntress. I love the Huntress group they are amazing at every turn. However Blackpoint was the only one that was showing me these alerts. They were also the only one showing me that the logins were coming from other countries, even Microsoft was showing them coming from the US. Blackpoint is pulling in additional data that is allowing them to see that the threat actor was actually relaying from outside the US. Its this type of information that some may see as noise and filter out, but not Blackpoint.
R
Rick Webster
Ah, that's a brilliant suggestions. Up vote for sure.
J
Jeffrey Hunt
I second this! It would be incredibly helpful to know if the password is compromised at this point without having to monitor the M365 portals myself all of the time. It would be a huge plus for ITDR