Embedded Files
In other parts of the guide, suspicious logins may be mentioned. This document will define what a suspicious login is, and why it is being flagged on an account.
Office 365
Office 365
Office 365 looks for six separate indications of a suspicious login. Each is either performed in a Real-Time Check or an Offline Check.
Real-Time Check: Takes about 5-10 Minutes to determine if the activity is suspicious.
Offline Check: An offline check can take between 2 and 4 hours to perform.
*Offline Check
Leaked Credentials:
Often times when credentials have been leaked, they will be distributed across the darkweb and blackmarket sites. These credentials can be sold, or simply posted on message boards. Microsoft actively monitors these sites for credentials within your environment by working with researchers, the Microsoft security team, and law enforcement. If a users credentials are found in any of these places the account will be marked as suspicious.
*Real-Time Check
Anonymous IP's:
It is typical for hackers to attempt to hide their IP addresses behind a proxy. When a login occurs from a known proxy IP address, a suspicious event is created. Microsoft keeps an active list of known proxy IP addresses.
*Offline Check
Unrealistic Travel Times:
If an account has multiple logins within a short period of time from two or more different geologic locations a check will be made to verify that it is possible for the user to have traveled between the locations. Machine learning uses an algorithm to determine if the logins would be considered false positives, based off of IP addresses used by other users in the organization as well as if the locations would be considered typical for the user. This machine learning also takes VPN access into account, and typically has a 14 day learning period for each account.
*Real-Time Check
New Locations:
When an account is logged in from a new location, there are a few checks that are made to verify the activity is considered normal.
-Closeness to typical login locations
-Known devices used to login
-Known login locations
There is a 30 day learning period in which no flags will be triggered as known locations and behaviors are learned. Once this period is over, anything outside of these parameters would be considered to be a suspicious login.
*Offline Check
Infected Devices:
Devices that have been infected with malware are also flagged as suspicious. A device is identified as infected when traffic between it and known bot servers is detected.
*Offline Check
Suspicious Activity:
Accounts will be flagged as suspicious when multiple failed login attempts are seen within a short period of time. This flag will look for a single ip attempting to connect to multiple user accounts and failing as well. Machine learning will ignore false positives, such as IP addresses known to be used by others in the organization. There is an initial learning period of 14 days, in which no events will be flagged.
G-suite
G-suite
G-Suite uses a challenge technique when approaching suspicious logins. First they will check a users behavior and decide if they consider the activity to be risky. If the activity is considered risky the user will be issued a challenge. If the user quickly leaves the challenge, or if they fail it, the account will be marked as suspicious.
Challenge Triggers:
-Novel user behavior
-Unusual login location
-Perceived unauthorized login attempt
What Is A Challenge?
User challenges are typically two factor authentications, such as an SMS or email verification.
Report abuse