Agenda

Password Spray

One Friday afternoon

Colleague

Account Executive

Customer

Sunday

Customer

Password Spray

Josi@contoso.com

Chance@wingtiptoys.com

Rami@fabrikam.com

TomH@cohowinery.com

AnitaM@cohovineyard.com

EitokuK@cpandl.com

Ramanujan@Adatum.com

Maria@Treyresearch.net

LC@adverture-works.com

EW@alpineskihouse.com

info@blueyonderairlines.com

AiliS@fourthcoffee.com

MM39@litwareinc.com

Margie@margiestravel.com

Ling-Pi997@proseware.com

PabloP@fineartschool.net

GiseleD@tailspintoys.com

Luly@worldwideimporters.com

Newyear2020!Newyear2020!

Newyear2020!

Newyear2020!

Newyear2020!

Newyear2020!

Newyear2020!

Newyear2020!

Newyear2020!

Newyear2020!

Newyear2020!

Newyear2020!

Newyear2020!

Newyear2020!

Newyear2020!

Newyear2020!

Newyear2020!

Newyear2020!

730,000+Compromised accounts due to password spray

(last 4 months)

~100%Percentage of password spray attacks

from legacy protocols

Let’s agree on terminology

Basic Authentication

Legacy Authentication

Modern Authentication

Legacy Authentication, examples…

• POP, IMAP, SMTP, etc.

• Most mobile mail apps

Legacy Authentication, examples…

Mail clients that use Legacy Auth

Office 2010 and older

Office 2013 by default (can use modern auth with reg key)

Clients using older mail protocols

• POP, IMAP, SMTP, etc.

• Most mobile mail apps

Legacy Authentication, examples…

Mail clients that use Legacy Auth

Office 2010 and older

Office 2013 by default (can use Modern Auth with reg key)

Clients using older mail protocols

• POP, IMAP, SMTP, etc.

• Most mobile mail apps

Agenda

Finding Legacy Authentication

Finding Legacy Authentication In Azure AD

Finding Password Spray due to Legacy Authentication

in ADFS

ADFS Audit 411

Parsing script:

https://gallery.technet.microsoft.com/script

center/ADFS-Account-Lockout-and-

2d9a9a90

For 2016+, Audit 1203

Azure AD Connect Health Risky IP

Report

Azure AD + Azure Monitor =

Storing massive

amounts of

unstructured data

Big data streaming

platform and event

ingestion service

Collects telemetry

to retrieve and

analyze data

Store (JSON) Push to SIEM Analyze

Pull (JSON)

Azure AD + Azure Monitor =

Azure Sentinel

• Pull from Azure AD Graph API

• Azure Event Hub• Pre-Built Integration into Azure Monitor, will PUSH events to SIEM

• Splunk (aka.ms/aad2splunk)

• Sumo Logic (aka.ms/aad2sumo)

• IBM QRadar (aka.ms/aad2QRadar)

• ArcSight (aka.ms/aad2Archsight)

• SysLog (aka.ms/aad2Syslog)

• Azure Log Analytics or Azure Sentinel

• https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-active-directory

Azure AD Logs into SIEM

Azure Log Analytics Workbooks

Legacy Auth

Azure Log Analytics Workbooks – Edit Mode

Azure Sentinel Workbooks

Agenda

Blocking Legacy Authentication

Identity Protection

Role Based Access Control

Core Store

Azure Active DirectoryAuthentication

Services

Office 365

Conditional Access Engine

Legacy Authentication

Client

Microsoft Cloud Services

Client Network

IDP

On-premises

DC

******

U/P App Cache

Conditional Access Policies

Exchange Online

AD FS

Azure AD

Key

Authentication flows

Authorisation flows

App-Specific traffic

Stop!

Mailbox Auth Lockdown

Authentication Policies

Client IP Block

Extranet Soft Lockout

Extranet Smart Lockout

AD FS AuthZ rules

Blocking Legacy Auth in Exchange

https://docs.microsoft.com/en-

us/powershell/module/exchange/client-access/set-

casmailbox?view=exchange-ps

https://docs.microsoft.com/en-us/exchange/clients-and-

mobile-in-exchange-online/disable-basic-authentication-

in-exchange-online

https://docs.microsoft.com/en-

us/powershell/module/exchange/organization/set-

organizationconfig?view=exchange-ps

ADFS Extranet and Smart Lockout

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-

lockout-protection

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-soft-lockout-

protection

Blocking Authorisation in ADFS / Federation Provider

https://docs.microsoft.com/en-us/windows-

server/identity/ad-fs/operations/access-control-

policies-w2k12

Blocking Legacy Authentication in Azure AD

• Block today with Conditional Access

• Only Service Accounts / apps

should remain• Ring-fence and protect

• Report Only mode

https://docs.microsoft.com/en-us/azure/active-

directory/conditional-access/concept-conditional-access-

report-only

Agenda

Go Do’s!

Go Dos!

Enable MFA / Go Passwordless / Device Trust

https://docs.microsoft.com/en-us/office365/securitycompliance/enable-mailbox-auditing

Smart Lockout https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-

lockout-protection

https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-mailbag-discovering-and-

blocking-legacy-authentication/ba-p/369725

Go Dos!

Ask for forgiveness, not permission

https://aka.ms/passwordguidance

Deploy Azure AD Password Protection to on premises

https://aka.ms/deploypasswordprotection

https://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity

Bonus Content: I’ve been Legacy Auth’ed! Help me!

https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance

https://blogs.technet.microsoft.com/office365security/finding-illicit-activity-the-old-fashioned-way/

Best practices for defending against password spray attacks

https://www.microsoft.com/en-us/microsoft-365/blog/2018/03/05/azure-ad-and-adfs-best-practices-defending-

against-password-spray-attacks/

ianfarr@microsoft.com

ianparr@microsoft.com