![]() ![]() It's a pretty decent set of baselines and ones that can be are actively checked/verified by MS so you can't just cheat your way to a perfect 100. I can't really comment on the default MS365 policies, as we haven't used any default policies production deployment, so you've certainly also got a point there, if they're using defaults.ĭrifting somewhat off topic: Since they're using 365, they should probably also go to the security center and go through all the reasonable suggestions for improving their "secure score." Hell, our cyber insurance policy carrier actually asks for that, when negotiating the policy renewal. I'm simply pointing out one likely source of a late night login and suggesting that investigating the real cause is important, even if it is a legitimate login, because complacency is hazardous. ![]() Even if the user has a valid OAUTH token, you'll still see the login activity there.Īny suggestion that takes the more secure road is of course not a bad suggestion. The wealth of information made available to you if your users have an E3 or especially an E5 plan makes classifying and reacting to potentially suspicious activity so easy. Thankfully that didn't result in any important data leakage or anything, since the account has very low privilege and we don't store documents in the cloud, and require smart cards for computer login. We had one user without MFA on O365 a couple years ago whose account was logged into at 1AM local time from somewhere in Africa, from a group a forensic team traced back to, surprise surprise, Russia. Thus, password change across the board for that user is definitely not a bad idea.Ī lot of foreign malicious login activity does happen around those times, as well, though, so checking the logs should be super high on the priority list for whoever has access to the security center. If it is even remotely suspicious, it was probably malicious and someone has that user's password (which probably means they have their password for a lot of other things, too, which may not have MFA). I see device reboots and late-night login activity usually between 1-5AM, my local time, due to devices being in different time zones and because of different group policies that stagger stuff a bit.īut the only way to know is to check the logs. I say it because of it being on the hour, in the wee hours. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |