Hey everyone, I recently discovered some strange activity in one of our Microsoft 365 accounts. Someone signed in from a different country at 2 am, and the Purview audit logs show they accessed an email with 'CHECK' in the subject. Additionally, I found that an iPhone 13 was registered as a second Microsoft Authenticator device, but the user insists they've never owned one. I can't find any info on when this device was added since the Entra audit logs only let me download data from the last 7 days. What do you think is the most likely way this could've happened? We have only Passkey (FIDO2), Microsoft Authenticator, and Temporary Access Pass as authentication methods. Also, how can I better detect compromised accounts? I currently check the sign-in logs weekly, but we don't have premium licenses, just Business Standard.
4 Answers
Using conditional access policies can restrict where users can log in from. We've managed to prevent a few of these scenarios by applying such measures.
Have you thought about getting the Entra ID P2 license? It lets you create conditional access policies that can block risky users. Just remember that even if you grab a single license, it could help implement tighter security. But do keep in mind that if an MFA audit happens, you might run into trouble with that.
We’ve been through a similar experience and it was quite a journey to establish device trust and require compliant devices via Conditional Access. I'd definitely recommend that path to bolster your organization's security.
It sounds like the user may have fallen victim to a phishing attack that led to someone stealing their session cookie. It's surprisingly common these days! Keeping that in mind, it’s essential to educate users about identifying phishing emails.
Totally agree! It could easily happen to anyone if they're not careful.
Also, consider requiring MFA to set or change MFA settings. It ensures that adding new devices involves a Temporary Access Pass, and you should look into requiring users to have compliant devices through Intune.