Information Technology Navigator

Tips, Advice & Insights from Technology Pros

Optimizing O365 Impossible Travel

Posted by Steve Caprio

Tue, Apr 06, 2021


Cloud security is a constant concern for organizations of every size. Stopping malicious actors from accessing your company’s systems and data is a top priority, but is made difficult by the number of different exploit techniques coupled with the sophistication of the attacks. One area of particular concern is legitimately compromised user credentials. For example, if a password I use frequently (maybe even a strong one) is exposed in a breach of an e-commerce company. The malicious actor located in Moscow who obtains this userID (likely an email of mine) and password then does a quick lookup on LinkedIn and finds that I work at Daymark. From here, the exploit is obvious. They now have a legitimate username and password combination and while we do employ multi-factor, there are constant threats to that.

Risk Mitigation

So how do you properly mitigate the risk of an apparently legitimate sign-in with confidence and not just guess work? A while back we published a blog “Understanding Office 365 Impossible Travel” that detailed how we at Daymark leverage this Microsoft Cloud App Security feature. Microsoft Cloud App Security’s anomaly detection features have helped tremendously. It provides out-of-the-box user and entity behavioral analytics (UEBA) and machine learning (ML) so that you are ready from the outset to run advanced threat detection across your cloud environment.

Anomaly Detection

Anomalies are detected by scanning user activity. The risk is evaluated by looking at over 30 different risk indicators, grouped into risk factors, as follows:

  • Risky IP address
  • Login failures
  • Admin activity
  • Inactive accounts
  • Location
  • Impossible travel
  • Device and user agent
  • Activity rate

Based on the policy results, security alerts are triggered. Cloud App Security looks at every user session on your cloud and alerts you when something happens that is different from the baseline of your organization or from the user's regular activity.

Alert Triggers

Back to our scenario of the malicious actor in Moscow. I have signed in at 8:30 am EST to begin my day. In Moscow it is 3:30 PM. 3 hours later the malicious actor signs into my account successfully. Based on a few factors this logon would be picked up by Cloud App Security.

  1. It is likely that the IP this person is using has already been flagged as Risky because it has been involved in similar malicious activity.
  2. This behavior is unusual for me. I don’t usually work from Moscow.
  3. Finally, due to my logon near Boston just 3 hours before it would be impossible for me to have arrived in Moscow and signed in from there.

When any of these flags are raised it will feed information back to Identity Protection in Azure AD based on your settings and from there can trigger automated account actions like requiring a password change or for the time being disabling the account and waiting for admin intervention.

To conclude, the features of Microsoft Cloud App Security are powerful and can help an IT admin sleep better at night. However, they do require some tuning and the possibilities go far beyond what was discussed in this blog. If you are interested in learning more about Microsoft Cloud App Security or need help implementing a comprehensive strategy Daymark can help. Click here to get started and checkout the fun gifts we have when you schedule a 20-minute meeting with us.