O365 email account compromised and perpetrator IP captured refers to a Microsoft Data Center

General (Technical, Procedural, Software, Hardware etc.)

Last Post by Johan Roux 2 years ago

1 Posts

1 Users

0 Reactions

1,244 Views

RSS

Johan Roux

(@johan-roux)

New Member

Joined: 2 years ago

Posts: 1

Topic starter 09/10/2023 7:25 am

Scenario - A user's account is compromised and MFA is enabled on his account.

Audit logs - Analysis of the mentioned email account PureView and Azure audit logs were conducted, and the IP address associated/used by the perpetrator(s), reflects as a Microsoft Data Center IP address, and not the private or public IP address actually used by the Perpetrator(s).

However when the legitimate user logs into the email account, the logs captures such a user's private and/or public IP address and origin.

MFA also logged the perpetrator(s) IP address as a Microsoft Data Center IP address.

Why is it that the IP identified relates to a datacenter of Microsoft when the perpetrator(s) logs in?

I would really appreciate all feedback on this issue.

Quote

🔍 Seeking Collaborators for AI-Enhanced Digital Forensics Project

Hey everyone! I'm working on an exciting project that c...

By etinoxa , 2 days ago
Article: Transforming Mental Health And Organisational Culture In Digital Forensics

Discover how Adapt & Evolve is helping transform di...

By Zoe , 3 days ago
Podcast: Digital Forensics And Stress: Understanding Your Body’s Signals

Dr Zoe Billings and Mark Pannone from Adapt & Evolv...

By Zoe , 7 days ago

8 Forums
15.7 K Topics
92.3 K Posts
237 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed