SaaS Alerts will continue to create Multiple Account Lock events regardless of conditional access rules in place to block access to tenant resources. The reasons this happens are:
- The Multiple Account lock event Logic is unique to SaaS Alerts and this event is not created by Microsoft internally.
- Microsoft Conditional Access rules do not prevent a user account from completing a sign in. Instead, they allow the account sign in to proceed and AFTER the account is signed in Conditional Access chooses to allow of block interaction with Microsoft 365 assets. Hackers do not know if Conditional Access rules are in place or not, so they may attempt to guess the correct credentials using sign in automation and in doing so lock the account.
- The Multiple Account lock event occurs when a user (or more commonly a hacker or bot) attempts to login to the account 10 or more times in rapid succession. Microsoft then locks the account. The account is unlocked after 15 minutes. If the hacker or bot tries again, and re-locks the account SaaS Alerts tracks that activity. If the Account is locked by this repeated action more than 3 times within 12 hours, SaaS Alerts creates the alert.
Pro Tip: The Multiple Account Lock event is designed to inform the MSP Partner (and by extension their customer) that a particular account is under active reconnaissance or attack. It is prudent to make certain that these accounts have strong passwords, and hopefully have MFA enabled. The repeated indication of account locks is a great way to demonstrate to a customer that they NEED MFA enabled and enforced if they are reluctant to do so.
Comments
0 comments
Please sign in to leave a comment.