Hi,
I have enabled and am reviewing audit logs for our organization, I am seeing multiple failed login attempts, all from Microsoft owned IP addresses. Here's a sample JSON from the downloaded csv:
{
"CreationTime":"2017-06-07T06:54:43",
"Id":"53e83604-6caa-4c83-a49c-5bede62f28c1",
"Operation":"PasswordLogonInitialAuthUsingPassword",
"OrganizationId":"<redacted>",
"RecordType":9,
"ResultStatus":"failed",
"UserKey":"<redacted>",
"UserType":0,
"Version":1,
"Workload":"AzureActiveDirectory",
"ClientIP":"40.97.160.21",
"ObjectId":"<redacted>",
"UserId":"<redacted>",
"AzureActiveDirectoryEventType":0,
"ExtendedProperties":[
{
"Name":"LoginError",
"Value":"-2147217390;PP_E_BAD_PASSWORD;The entered and stored passwords do not match."
}
],
"Client":"Exchange",
"LoginStatus":-2147217390,
"UserDomain":"<redacted>"
}
Here's the whoisip lookup for that IP:
Source: whois.arin.net
IP Address: 40.97.160.21
Name: MSFT
Handle: NET-40-74-0-0-1
Registration Date: 23/02/15
Range: 40.74.0.0-40.125.127.255
Org: Microsoft Corporation
Org Handle: MSFT
Address: One Microsoft Way
City: Redmond
State/Province: WA
Postal Code: 98052
Country: UNITED STATES
Other Microsoft IPs in the logs include: 40.97.128.197, 40.97.128.37, 40.97.130.181, etc. In total 40 unique IP addresses from the Microsoft owned subnet 40.97.*.* in the past week
Any suggestions about what is trying to login from these IP address? Perhaps a tool integration that's broken?
