conditional access failures
complete
Walt Shank
We're using SaaS Alerts currently and one alert I would like to see in Huntress is when an account has authenticated with a valid password but fails a conditional access policy that otherwise blocks the sign-in. This is common when a user submits creds to a phishing message but the threatactor attempts to sign-in from a unauthorized location. The account is still considered compromised thus requiring remediation.
A
Alex Bluemel
2 years later and Huntress ITDR still doesn't create any alerts when a user enters their credentials in an EvilProxy phishing page but is blocked by conditional access? This seems a massive oversight, in that user credentials are compromised and this is detectable, but ignored.
Canny AI
Merged in a post:
Alert of successful M365 login, but failed based on Conditional Access
M
Michael Gibby
Would like an alert when a user successfully signs into M365 but fails a Conditional Access policy. For example, user gets phished, MFA is bypassed but CA geo policy blocks the sign in.
Currently Lighthouse does this via "risky user" alert if you have it configured, which can take days to receive the alert. Huntress does not alert on this attack vector at all.
All of this data is available in Entra sign in logs, and licence agnostic. Can huntress create this alert?
A
Arthur Ebbinger
This would need to be implemented carefully - we would not like to see a barage of alerts due to failed logins from conditional access policies as users have a tendancy to not alert us to when they are traveling. This would be great to have - if it is only alerting on positive MFA Token theft or MFA Bypass.
Otherwise, I fear it will be very noisy just like the unwated access alerts were when they were first added.
M
Michael Gibby
Is there any update on this, as we are seeing a rise of these attacks. Huntress is missing them and only Lighthouse is catching them.
Canny AI
Merged in a post:
Alerts on Sign-in was blocked because it came from an IP address with malicious activity
P
Peter Grice
Although the "Sign-in was blocked because it came from an IP address with malicious activity" message does not differentiate whether the credentials were correct or not, it would be nice to know if the sign in would have been successful (compromised credentials) and could have been successful from another location
R
Robert Dana
complete
We don't plan to alert on every conditional access failure because they are very noisy (legit users do screw up MFA!), but we released a v2 update in January to the detector Josh posted about in December, and we consider this capability to be complete now (or as complete as detectors ever are... we tweak / tune them constantly).
J
Josh Lambert
in progress
Hi All!
We've recently released a credential stuffing detection. It's generated a ton of incident reports, and is our first big step in detecting this sort of threat actor behavior 🙂.
More to come, but wanted to let you know we're in actively pursuing it.
Best wishes,
Josh