blocked signed in due to IP. What about password?

Question

When seeing a blocked sign in that says "Failure reason
Sign-in was blocked because it came from an IP address with malicious activity."
Does this mean that they used the correct password and were blocked after entering the password? Or that they were blocked before having a chance to enter the password?

Answer 1

@Shimshey Rosenberg Unfortunately, your understanding is not completely correct. There are 3 different things here:

1. Machine learning
2. Sign-in Risk detection
3. Account lockout.

First Azure AD Identity protection uses Machine learning to mark an IP address as a suspicious address. An IP address is marked as a suspicious only if high number of failed sign-in attempts come from that address during a short period of time. The IP address will be marked as as malicious by Machine Learning algorithm. This shouldn't be considered as risk detection as going forward this would help with risk detection.

Risk Detection: Once the IP address is marked as suspicious address and a sign-in attempt is made from that address, that will be considered as Risky Sign-in. This is considered as risk detection. However, if you enter incorrect password during sign-in from malicious address, you will get "Your account or password is incorrect. If you don't remember your password, reset it now." message.

The error "Account is locked because user tried to sign in too many times with an incorrect user ID or password." completely depends on below setting:

-----------------------------------------------------------------------------------------------------------

If this helps clarifying your questions, please mark it as Accepted Answer.

Answer 2

@AmanpreetSingh-MSFT , I appreciate you getting back to me. I certainly believe that at least now you made the proper research before answering.

The whole point of my previous comment was that the paragraph below is completely wrong and misleading.

The message "Failure reason Sign-in was blocked because it came from an IP address with malicious activity." will be displayed only after correct password is entered from a malicious IP address.

According to what I wrote, and to the best of my current knowledge on this subject, this is NOT true. You can, and will see in the logs this failure reason, regardless of a correct or incorrect password being entered

Being that you are a Microsoft employee (according to your profile), can you agree that this is the case?

"Sign-in was blocked because it came from an IP address with malicious activity does not mean that anyone answered the correct password"

True or not?

Answer 3

Good morning @AmanpreetSingh-MSFT

Sorry for my delayed response, but I was out of the office on Friday.

First off, I am unable to view the “risk detections” as my subscription does not provide me access to it. I can only see the Azure AD > Users > Sign-Ins. All the comments I have made above in regards to logs are from these logs only.

I have seen logs mentioning invalid credentials, but this did not change my view on this.

I will take a moment and assume you are right (not that you are, but building on that), and try to figure out some things. But first, let's summarize what we are seeing in the logs – assuming you are right.

• A tenant with 150 mailboxes with Azure AD Connect installed for password sync
• For 70+ users logs are indicating (again, according to you) that someone somewhere tried to gain access using the correct credentials [Question: How do they have the credentials?]
• All users are forced to change their local AD password, with password policies restricting them from reusing the same passwords as in the past. [Effectively updating the Azure password]
• Sign-in attempts did not stop. They are still using the correct passwords (according to you)

The BIG question: How are “they” getting the correct password?
At this time, I have some possible answers;

1. Some form of keylogger on ALL on-premises systems (likelihood: low)
2. Some form of zero-day exploit to AD or AAD Connect that they can retrieve passwords from (likelihood: ???)
3. Some method of accessing Microsoft’s password database AND reverse engineer it (likelihood: low)

While I am still weighing these three possible answers (there may be more possibilities, but these are the ones that I was able to come up with...) I saw some “Azure Only” accounts that are not on-prem synced are also being flagged with the same sign in attempts, which according to you, someone has their password.

So, option 2 above is out of the question. Simply, there is no local AD account for those users, so I moved on to eliminate option 1 (keylogger) by changing those passwords on mobile (different type of device and different network), And guess what, although these accounts were not accessed by “anyone” and no one besides me knew their passwords, were still being flagged!

Now, I think that I have successfully eliminated all options besides option 3, effectively leaving me with one option from the list above; they somehow can get all passwords from Microsoft directly and reverse engineer the passwords.
Due to many reasons, I find it highly unlikely, therefore giving me only one other option, which is that “this error message does NOT mean that anyone tried using the correct password”
--
If you still disagree with me please reply in detail why you do

All the best, Shimshey

Answer 4

I read the entire thread!

Basically then the error: "Sign-in was blocked because it came from an IP address with malicious activity" (failure reason)

It doesn't mean that the "attacker" was able to enter the password correctly, right?

Unlike another known failure reason which in turn is actually the result of a correct password: "Access has been blocked by Conditional Access policies. The access policy does not allow token issuance."