Google web crawler attempting to sign into Office 365 accounts?

Question

Google web crawler attempting to sign into Office 365 accounts?

JacquesQ 16

Hi,

My organization has been receiving sign in attempts towards Office 365 accounts from what appear to be Google Web Crawlers.

I have added an example of a sign in event to Office 365 Exchange Online below, exported from the Azure Sign in logs of a user:

User, Redacted
Username, Redacted
User type, member
Application, Office 365 Exchange Online
IP address, 66.102.9.95
Location, "Mountain View, California, US"
Status, Interrupted
Sign-in error code, 50074
Failure reason, Strong Authentication is required.
Client app, Browser
Device ID,
Browser, Chrome Mobile 59.0.3071
Operating System, Ios
Compliant, FALSE
Managed, FALSE
Join Type,
MFA result, "User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others."
MFA auth method, Phone call approval (Alternate phone)
MFA auth detail,
Authentication requirement,Multi-factor authentication
Sign-in identifier, Redacted
IP address (seen by resource),
Autonomous system  number,15169
Flagged for review, FALSE
Token issuer type, Azure AD
Token issuer name,
Latency, 140
Conditional Access, Failure

User Agent:

Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36 (compatible; Google-Read-Aloud; +https://support.google.com/webmasters/answer/1061943)

A DNS lookup provides authenticity to the IP address being used:

Name:    google-proxy-66-102-9-95.google.com
Address:  66.102.9.95

Something to note is that the usual flow for a normal sign in is:

A sign in event is generated where the user enters their password
A second sign in event is generated where the user completes the MFA challenge
The user is signed in.

In this case, only 2 is seen. The Web Crawler seems to attempt to sign in as the user and triggers the MFA challenge without there ever being a record of a password being entered.

Why would a Google web crawler be attempting to sign into specific user accounts?
Has anyone else experienced similar behavior and has any sort of information as to what is occurring here?

Thanks

Poortenaar, Laura 1 Reputation point

2021-12-23T09:34:26.357+00:00

I have the exact same! Voted + followed, and very interested in any further outcomes.

3 answers

Your answer

Poortenaar, Laura 1 Reputation point

2021-12-23T09:34:26.357+00:00

I have the exact same! Voted + followed, and very interested in any further outcomes.

Answer 1

@JacquesQ ,
Its highly unlikely that the google crawler is trying to sigin on behalf of user. With all the details provided , it seems that the user may have used Google read aloud cloud service on the Office 365 logon page while trying to access their Exchange mailbox. The crawler does not

From the developer page for read aloud user agent, we find the following.

Google-Read-Aloud is the user agent for the Google Read Aloud service. This service enables reading web pages using text-to-speech (TTS). This service is activated when an end user has text to speech enabled and visits a page. The Read Aloud service is used by Google Go, Google Read it, Read Aloud on the Google app, and other Google text-to-speech services.

I have not seen this before . However if you continuously see this then I would filter by timestamp and see who all are the users trying to access the exchange online at the same time. Because if a MFA prompt was triggered then the user would get some notification . If its the right user , the user would know aout the logon or the activity they were trying when this log got generated. If the user whose signin identifier is shown does not know then there may be an issue. Considering the security aspect , I would always suggest to check and verify with the user what device they were using and where all they tired to logon . This is the tricky part as many a times users may not even know but may have clicked something and will miss providing all information to the IT team .

I doubt that the web crawler is trying to sign in as a user. The sigin is clearly user initiated and the user agent value says about the google web crawler. The user agent simply is the browser or application that the user may be using to access the logon page on Microsoft side. As I mentioned above the only explanation that I can think of is that the user have read aloud enabled on the browser agent and they might have tried to logon to the exchange service . and maybe abandoned the logon later but we cant be sure without checking this with the user.

So in a nutshell ,

Should this activity create an security incident ? Yes it should. We cant be more careful these days.
With the above details , is it a high level security issue ? No, it is not . Though it would be good for the Sec Ops team to verify with the user .

Hope the explanation helps. Should you have any further queries , feel free to let us know and we will be happy to help .

Thank you,

----------------------------------------------------------------------------------------------------------------------------------------------------------

Please don't forget to click on or upvote button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how
Want a reminder to come back and check responses? Here is how to subscribe to a notification
If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators

JacquesQ 16 Reputation points

2021-10-07T06:48:50.477+00:00

Hi @Shashi Shailaj ,

I really appreciate your response to this.

This is exactly what I thought was occurring, however I was never able to recreate a similar sign in event using the service. I also noticed that the Office 365 sign in page doesn't seem to be readable by the service in the Google App for Ios which is also the end users platform of choice. Unfortunately I am no expert in understanding the inner workings of how the read-aloud service works although I do suspect is has something to do with this. It could have something to do with the service caching the page as documented, but as to how the caching of the pages work I do not know.

Getting information from the End User is also another part of the battle, most users aren't fully aware of what they are doing or how the services they use interact even moments after the event.
This I will continue to work on and will probably be the key to finding out what is actually happening.

I don't suspect that this is anything malicious. According to Google's article on Googlebot Verification, this should be a legitimate Googlebot. But this still doesn't mean this is not a concern.
I'll still keep this open as I would like to have a definitive answer on what is going on to generate an event like this to alleviate my anxiety :)

Thanks,
Shashi Shailaj 7,631 Reputation points Microsoft Employee Moderator

2021-10-07T10:34:05.047+00:00

@JacquesQ Sure . We can keep it open and its not a problem. I hope someone in the community may have experience with read aloud service and may be able to I understand the user interaction issues that you described. We can hope for details from other members in the community who may have similar experience.

Answer 2

JacquesQ 16

Bumping this thread.

Answer 3

Patrik Karlsson 0

Any news on this? We see the same patterns

Share via

Google web crawler attempting to sign into Office 365 accounts?

3 answers

Your answer