Is there a way to blacklist an IP based on failed login attempts?
I’ve recently had two user accounts compromised. In looking at the Audit Log, it appears their password was compromised but since their passwords were fairly difficult, I assume it was after numerous login attempts. Perhaps I’m wrong about that.
My mail server is on Unix (FreeBSD) and I’ve become very fond of the Fail2Ban application. It scans log files and looks for scriptable failure messages to blacklist IP addresses for a configurable period of time. It maintains a transient database that adds/removes firewall rules as needed.
I no longer get long lists of addresses trying to scan for usernames, or just pounding on it trying dictionary attacks. I am not familiar with similar tools for Windows but they may be out there.
I’m not an expert in such matters, but in my experience, it is far more likely that they replied to a clever phishing or spearphishing attack. I don’t know that I’ve ever seen evidence that one of our accounts was hacked, but we have several each year who enter their credentials into a form or page that looks legitimate to them, or came from someone they trusted. And if this happened in your case, then automatically blocking IP addresses after a specified number of failed login attempts might not solve anything.
We have policies in place that lock user accounts for 12 hours after 10 failed login attempts, which would essentially accomplish the same thing. However, we had to change this policy for IT admins, because it became evident that someone was attempting to compromise our system administrator’s account. As I recall, the IP addresses were from Europe, and changed (imagine all the IP addresses that could become blocked in a very short period of time if the attackers are agile!) IT user accounts now lock for 5 minutes after 2 failed attempts. The SA changed his username. This, along with the lockout policy, seems to have put an end to the attacks. Each time a lockout occurs, the Help Desk gets an email containing the username, IP address, and device/system that was experiencing the failed login attempt (usually Exchange, when people change their password but don’t change it on their phone/tablet/Mac- it is especially annoying when Keychain remembers an old password and won’t let go of it).
Perhaps a lockout policy such as this, with notifications, might be of benefit to your organization.
My money would be on phishing / spear phishing as well. Anecdotally I’ve seen a big uptick in targeted phishing attacks and executive impersonation attacks in the last 6 months or so, and the Exchange Online spam filter hasn’t done a good job of stopping them for us. We’re considering a 3rd party filtering solution. We’ve been lucky in that most of the people who have replied to the messages have been tipped off by atrocious spelling and grammar in the replies from the phisher, but the number of people who have replied to at least the initial message has been way higher than I’d like to see. It really doesn’t help that most mobile mail apps don’t show the sender’s address, only their display name, unless you manually tap a “more details” button or link. Time for more IT security training.