Large-scale brute force attacks on M365 – Check log-ins as a precaution

Several sources confirm large-scale attempts to try out access data for Microsoft 365; Heise has also experienced a rattling at the door. Even if it seems that the acute attacks are already over, M365 admins should check their logs for successful intrusion attempts as a precaution. This can be done quickly and easily.

The quick test

The brute force attacks first reported by Speartip come mainly from Brazil, but also from some other rather unusual countries, such as Argentina, Turkey, and Uzbekistan. They all have the user agent “fasthttp” and can therefore be easily identified in the logs. Speartip recommends the following quick check:

1. Log in to the Azure portal.
2. Navigate to Microsoft Entra ID Users Sign-in Logs
3. Apply the Client App filter: “Other Clients” and search for “fasthttp”

Alternatively, you can also perform an audit log search in Microsoft Purview with the keyword “fasthttp”. Speartip also offers a Powershell script to search for suspicious access attempts in the log files.

Sensible measures

As long as all log-in attempts have failed, there is no acute need for action; however, you should definitely consider whether the current protective measures are still sufficient considering this threat. However, if there are successful log-ins with the user agent “fasthttp”, it is quite certain that the attackers have been able to take over access. We then recommend resetting the credentials immediately, terminating active sessions and initiating further incident response.

If the number of brute force attempts becomes excessive, you can also successively block the more exotic regions of origin; Speartip offers lists of ASNs and IPs for this purpose. However, it is better to secure the login process against brute force attacks or attacks with leaked passwords. Although two-factor authentication cannot eliminate such threats, it does reduce the risk considerably.

(ju)