Distributed Password cracking attempts detected by Sentinel

Over the past couple of days I’ve inundated with failed logins from locations all around the world. You can see a partial list of the those IPs reported in Sentinel above.

But, for the first time I also found this alert had triggered an incident in Sentinel – Distributed Password cracking attempts in Microsoft Entra ID, as seen above.

Here is the list and locations so far:

IP Address	Origin (Country)	Potential Organization (if identifiable)
31.141.37.30	Russia	Provider: Rostelecom
38.222.57.97	United States	Comcast Cable Communications
190.99.43.237	Argentina	Telecom Argentina
187.55.129.25	Brazil	Vivo (Telefônica Brasil)
186.77.198.100	Brazil	Oi S.A.
24.152.24.225	United States	Cox Communications
102.212.239.10	Uganda	Uganda Telecom
131.161.44.200	United States	Microsoft Corporation
177.222.169.132	Brazil	TIM Brasil
31.155.228.215	Romania	UPC Romania
168.228.92.190	Brazil	NET Virtua
186.235.247.106	Brazil	Oi S.A.
177.124.90.249	Brazil	Vivo (Telefônica Brasil)
189.84.180.196	Brazil	Oi S.A.
190.89.30.3	Brazil	Vivo (Telefônica Brasil)
201.77.175.53	Brazil	Oi S.A.
206.0.9.157	United States	Comcast Cable Communications
138.0.25.140	Brazil	Oi S.A.
176.29.230.49	Ukraine	Ukrtelecom
191.99.34.144	Brazil	Claro Brasil
87.116.135.139	France	Orange S.A.
170.82.15.6	Brazil	Claro Brasil
84.54.71.37	Spain	Telefónica
170.231.164.96	Brazil	Oi S.A.
45.231.208.166	Mexico	Megacable
190.14.176.31	Colombia	ETB (Empresa de Telecomunicaciones de Bogotá)
85.106.118.20	Italy	TIM (Telecom Italia)
191.189.9.96	Brazil	Claro Brasil
152.249.19.25	Argentina	Telecom Argentina
189.34.199.125	Brazil	Vivo (Telefônica Brasil)
41.225.129.174	Nigeria	MTN Nigeria
85.96.249.52	Italy	Vodafone Italia
197.26.214.34	South Africa	MTN South Africa
187.183.41.6	Brazil	Claro Brasil
177.126.234.232	Brazil	Vivo (Telefônica Brasil)
149.86.137.85	United States	AT&T

Always nice to have Sentinel on the job letting me know what’s going on!

Viewing Copilot prompt and responses across the organisation

To explore Copilot activity in your environment open:

https://purview.microsoft.com

with a user with appropriate access. Select Solutions on the left and then DSPM for AI as shown above.

Then select Activity Explorer and from the list that appears on the right select an entry that says AI interaction as shown above.

You should now see a panel appear from the right with a range of details about that session. Towards the bottom you will find

both the Prompt and Response as shown above. You will also see an resources, for example files or links, used in that session.

A little further up you will also find where that session took place, in this case from inside an Office app.

The Data Security Posture Security Management (DSPM) for AI has many other resources that you can also take advantage of but the above is the simplest method I’ve found to quickly see what a Microsoft 365 Copilot prompt and response in the environment was.

Configuring DLP with Microsoft 365 Copilot

Here is a video that takes you through the process of setting up a Data Loss Prevention Policy (DLP) that protects content when used in Microsoft 365 Copilot.

To achieve this you need to set up Data Labelling in your Microsoft 365 environment which is not covered in this video. Documentation from Microsoft on DLP with Microsoft 365 Copilot can be found here:

Learn about the Microsoft 365 Copilot policy location (preview)

Script to report tenant directory activity

I have created a script that uses the Microsoft Graph to report directory activity for the tenant as shown above. You’ll find it here:

https://github.com/directorcia/Office365/blob/master/graph-diraudit-get.ps1

along with the documentation here:

https://github.com/directorcia/Office365/wiki/Report-directory-activity-in-a-tenant

You will need to have the Microsoft Graph PowerShell module installed and up to date.

The first time you run the script you maybe prompted to login to your tenant and then you may also be asked to provide permissions This script requires:

AuditLog.Read.All
Directory.Read.All

which you may need to consent to the first time.

After the script executes you should see an output as shown above showing the logging service, activity, result, operation, category and time stamp.

You can also use the –csv command line option to put the results to a CSV file in the parent directory.

Script to report tenant signins

I have created a script that uses the Microsoft Graph to report signins for the tenant as shown above. You’ll find it here:

https://github.com/directorcia/Office365/blob/master/graph-signins-get.ps1

along with the documentation here:

https://github.com/directorcia/Office365/wiki/Get-tenant-signins

You will need to have the Microsoft Graph PowerShell module installed and up to date.

The first time you run the script you maybe prompted to login to your tenant and then you may also be asked to provide permissions This script requires:

AuditLog.Read.All
Directory.Read.All

which you may need to consent to the first time.

After the script executes you should see an output as shown above showing the Client App used, IP Address, is an interactive login and the user principal name.

You can also use the –csv command line option to put the results to a CSV file in the parent directory.

Entra Global Secure Access client for iOS now in preview

In it’s simplest form, think of Entra Global Secure Access as a full time secure VPN to resources like Microsoft 365 services such as SharePoint, Exchange, Teams, etc as well as to on premises resources and finally to Internet web sites.

Entra Global Secure Access does this on iOS via a Microsoft Defender app on the device and configuration via Intune. You can now try this out by following:

Global Secure Access client for iOS (preview)

The Entra Global Secure Access service requires a paid subscription as well as Entra ID P1 or P2 (i.e. it is Microsoft 365 Business Premium compatible). When you have enabled the client you will see in Defender:

Screenshot of the iOS Microsoft Defender dashboard.

Unfortunately, the preview as yet doesn’t support the Internet traffic forwarding, which other clients do. Hopefully, that is not far away as that will really make this a killer product in my books.

I have been using Entra Global Secure access on all my Windows and Android devices for quite a while now without issues and look forward to seeing the iOS client fully mature.

New Secure Score report script

I have created a new script that uses the modern Microsoft Graph method to report all the Secure Score items and rather than me explaining what the script does I’ll turn it over to Github Copilot.

<Enter Github Copilot>

This PowerShell script, mggraph-ssdescpt-get.ps1, is designed to interact with the Microsoft Graph API to retrieve and display secure score results. Here’s a step-by-step explanation of its operation and function:

Start Transcript:

start-transcript “..\mggraph-ssdescpt-get.txt”

This line starts recording all commands and their output to a transcript file.
Check Microsoft Graph Connection:

try {

    $context = get-mgcontext -ErrorAction Stop

}

catch {

    write-host -foregroundcolor $errormessagecolor “Not connected to Microsoft Graph. Please connect to Microsoft Graph first using connect-mggraph`n”

if ($prompt) {stop-transcript}

exit

}

if (-not $context) {

    write-host -foregroundcolor $errormessagecolor “Not connected to Microsoft Graph. Please connect to Microsoft Graph first using connect-mggraph`n”

if ($prompt) {stop-transcript}

exit

}

write-host -foregroundcolor $processmessagecolor “Connected to Microsoft Graph”

write-host ” – Connected account =”,$context.Account,”`n”

if ($prompt) { pause }

This block checks if the Microsoft Graph module is installed and if the user is connected to Microsoft Graph. If not, it prompts the user to connect and exits the script.
Set API Endpoint and Method:

$uri = “https://graph.microsoft.com/beta/security/securescores”

$method = “GET”

write-host -foregroundcolor $processmessagecolor “Run Graph API Query”

The script sets the URI for the Microsoft Graph API endpoint to retrieve secure scores and specifies the HTTP method as GET.
Invoke API Request:

$query = Invoke-MgGraphRequest -Uri $URI -method $method -ErrorAction Stop

This line sends a request to the Microsoft Graph API to get secure score results.
Process and Display Results:

$names = $query.value[0].controlscores          # get the most current secure score results

$item = 0

write-host -foregroundcolor $processmessagecolor “Display results`n”

foreach ($control in $names) {

    $item++

    write-host -foregroundcolor green -BackgroundColor Black “`n*** Item”, $item, “***”

    write-host “Control Category     : “, $control.controlCategory

    write-host “Control Name         : “, $control.controlName

    write-host “Control Score        : “, $control.Score

    write-host “Control Description : “, $control.Description

    write-host “Control On           : “, $control.on

    write-host “Implementation status: “, $control.implementationstatus

    write-host “Score in percentage : “, $control.scoreinpercentage

    write-host “Last synced          : “, $control.lastsynced

    write-host “`n”

if ($prompt) { pause }

}

The script extracts the secure score results from the API response and iterates through each control score, displaying detailed information about each control.
Complete Script:

write-host -foregroundcolor $systemmessagecolor “`nScript Completed`n”

if ($prompt) {stop-transcript}

Finally, the script indicates completion and stops the transcript if the $prompt variable is set.

In summary, this script connects to Microsoft Graph, retrieves secure score data, and displays detailed information about each control score in the console.

Output

use the –prompt command line option to pause output.

Bulk senders insight in Exchange Online

If you navigate to

https://security.microsoft.com/senderinsights

you should see the above Bulk senders insight console. You can also get to this if you select an Exchange Online anti spam policy like so:

and scrolling down the dialog that appears on the right and selecting Edit spam threshold and properties as shown above.

and then scroll up to the top of the dialog as shown above.

You can read more about this capability here:

https://learn.microsoft.com/en-us/defender-office-365/anti-spam-bulk-senders-insight

You can adjust the sliders on the left and then select the Simulate button to report on the emails that would be caught by this new level before actually applying to the policy. The list below will also show those that have been caught so you know exactly which emails would be caught if this change was made to the BCL level in a spam policy setting.

This now a handy way to fine tune the BCL settings inside Exchange Online antispam policies.