Detection from low-cost VPN providers

Out of curiosity, what is everyone doing with the detections for “This detection identifies successful authentications from low-cost VPN providers.” Globally whitelisting, One-off whitelisting, etc…

We’ve been getting a lot of these for connections from personal devices into our Office 365 tenant. A lot appear to be related to NordVPN connections. Nothing malicious, just our users using some sketchy services.

We set all of these low cost vpn detections to notable events

1 Like

so for the most part, people will either tune them accordingly, or set them to notable behaviors so they can be reviewed later, or added to investigations if needed in order to build out the timeline of said investigations.

1 Like

Same here, normally if you have MFA logs you can correlate to see if the IP (from the VPN) provider is associated with a MFA log.
Eventually you will be able to automate this. This is what I am planning to do.

Was thinking about the notable events, but that depends on the Acceptable Use Policy you have in your firm. We have employees that installed a VPN client on their work machines which we try to not allow anymore.

There are more ways to deal with this, however it depends on your risk appetite.

2 Likes

We generally recommend that the alerts not be turned OFF completely. Whether they are tuned to Notable Event or suppressed for a given user is generally up to the customer. The idea behind these alerts is that your company might have an Approved VPN that employees should be using, and so the alert is providing visibility into a possible non-compliance by a user.

These alerts fire when a user ingresses via a VPN that has historically had some attacker activity associated with it in the past (in general, not in any specific customer case). Some customers still wish to see if the VPNs are being used, but may with to suppress it for a specific user or for a specific geoip region (i.e., the user is on vacation abroad and is using their phone to check their email).

1 Like

The problem with this is that any account could be compromised, and the attacker will use the same strategy. it will use some sort of TOR or VPN to hide their identity and compromise the account. You guys will not know because it will be taken as normal. We had similar detections (quite a lot) but we are pushing users not to use those private VPNs, but instead to use ours. The one that the company provides. That way we can monitor the logs and we can investigate quickly if the impossible travel detection make sense. And even with MFA push notification. Users usually just accept request. Hopefully the new modern authentication with Intune managed devices will put a little more fidelity to the request as you have to provide a number to login for each request.

There is no great solution here. Suppressing all these low-cost VPN alerts could be done at your peril for reasons mentioned. Almost all such alerts are harmless nuisances, however.

So we dutifully look at each one, responding in one of several ways.

  1. Ask the user to confirm activity (and reminding of company policy).
  2. Blacklist the IP address range (whack-a-mole).
  3. Ignore it.
1 Like

I have a dashboard and daily report which tracks geoip_organization and country codes other than us. Ingress from 3 or more country codes or 5+ organizations is an automatic disable. Less than that we leave alone since they could be normal traffic, unless they port scan from vpn or something else.

Unless your staff need them for software development testing or some other specific use-case business need, I would recommend developing an HR policy specifically disallowing these connections and technical process to block these connections.
These are especially troubling if your company is not requiring MFA for remote connections.