How can we help you?

EVENT

Account Locks - 3 or more lock actions for any connected SaaS application within 12 hours.

RECOMMENDED ACTION

Contact the Customer or User and make them aware of this event.  If it is not several admin suspensions, this event indicates an active ongoing attempt to execute a brute force login attack on the user account.  The account should be secured by forcible log-out from all devices (if the SaaS Product provides this functionality), resetting the user password using complex password best practices, and enabling MFA if offered and not enabled.  If this problem persists, it is advised to create a new login account for this user and remove the account which is under persistent attack.  If the account is associated with a user mailbox the previous account can be added as an alias to the new user account.

ALERT TYPE

Critical Alert 

Supplemental Information:

-  The Multiple Account lock event Logic is unique to SaaS Alerts and this event is not created by Microsoft internally

-  Microsoft Conditional Access rules do not prevent a user account from completing a sign-in.  Instead, they allow the account sign-in to proceed and AFTER the account is signed in Conditional Access chooses to allow or block interaction with Microsoft 365 assets.  Hackers do not know if Conditional Access rules are in place or not, so they may attempt to guess the correct credentials using sign-in automation and in doing so lock the account.

- The Multiple Account lock event occurs when a user (or more commonly a hacker or bot) attempts to log in to the account 10 or more times in rapid succession.   Microsoft then locks the account.  The account is unlocked after 15 minutes.  If the hacker or bot tries again and re-locks the account SaaS Alerts tracks that activity.  If the Account is locked by this repeated action more than 3 times within 12 hours, SaaS Alerts creates the alert.

The Multiple Account Lock event is designed to inform the MSP Partner (and by extension their customer) that a Particular account is under active reconnaissance or attack.  It is prudent to make certain that these accounts have strong passwords, and hopefully, MFA enabled.  The repeated indication of account locks is a great way to demonstrate to a customer that theyNEEDMFA enabled and enforced if they are reluctant to do so.