An aggressive password-spraying campaign targeting Microsoft 365 environments generated more than 81 million login attempts over a two-week period. […]
An aggressive password-spraying campaign targeting Microsoft 365 environments generated more than 81 million login attempts over a two-week period. […]
That explains all the Authenticator attempts I’ve been seeing.
So that’s what’s going on! Just denied three of them. Authenticator should provide the IP address and geolocation of the requesting party. A log should be kept of this info along with the action taken. Instead, they just vanish into thin air.
I believe they’re logged in paid Azure Tenants, and tenants with security licensing can set up Conditional Access policies to do things like restrict IPs from specific countries from making login requests.
I’m just a regular VPN user but I’m in the US exiting in Switzerland. Usually things that show my location and IP address just show Switzerland and/or “unknown” (if it’s smart enough to say “hey, this is a known VPN endpoint.”
If that’s the case with me then I imagine it’s the same with any hacker worth anything. I’m positive they’re using VPNs and/or data centers (which look like VPNs anyway). They probably rent some $5 machines then trash them after some time, so tracking IP addresses isn’t really worth it.