Single-Use Code

Question

Hi,

Multiple clients in our organization are receiving Single-Sign Code sent by the sender "account-security-noreply@accountprotection.microsoft.com" unexpectedly and they are receiving this email almost daily, we have monitored 23 emails sent to one of our clients within 30 days. We are being alarmed as it could possibly sign of bruteforcing but We have looked and investigated the sender's details and its reputation and it seems that the email is legitimate.

We would like to confirm what causes this scenario. Based on our clients, the email was even sent at unexpected times of the day. Any recommendations on where to check this? Here are the sample emails sent to our clients.

Thank you very much

Answer 1

To start - emails from @accountprotection.microsoft.com are legitimately from Microsoft:

https://support.microsoft.com/en-us/account-billing/can-i-trust-email-from-the-microsoft-account-team-685fd302-f52f-1a9f-cc13-065dec46fe25

Also, I'm guessing that your clients are B2B guests? If so, all anyone needs to start the authentication is to supply their email address in your tenancy. MSFT then just sends a one-time passcode to their email and waits for them to enter in the passcode.

Question: have you examined your Azure/M365 audit logs? You should see the auth/sign in requests that mirror the OTP codes being sent.

I'm guessing you'll see a status of interaction_required because the requester didn't enter one in. However, I would specifically look at the origin IP or location/country.

If its some kind of password spraying event, you'll see the orgin country from all over the globe..

Since the OTP is sent upon supplying a registered email, what you could do is filter it with a conditional access policy with restrictions such as:

• Geofencing
• Blocking of non-standard/non-corporate standards (Example: blocking of Windows Phone; Linux, Chromebooks etc.

Hope that helps