Blocking traffic from 3rd party VPN services?

We are currently investigating a business email compromise involving an O365 tenant, and according to the audit logs, the attackers IP belongs to a US based 3rd party VPN solution (Hide My A$$ VPN) with US based subnets.

Now typically for on prem stuff with a Firebox, we'd used GEOBlocker to only allow inbound connections to services behind it from North America. However, I never really thought about attackers launching an attack via US based VPN IPs, so I'm wondering if anyone has any thoughts or ideas (aside from hiding every single thing between Access Portal and AuthPoint, which isn't completely practical even if we all know it the secure thing to do) on how to secure from VPN subnets.

dcc

Comments

  • edited April 2021

    What kind of "business email compromise involving an O365 tenant" did you have happen? I am assuming that someone's email account got compromised directly (usually through IMAP spray & pray attacks) or through a phishing email. If that is true, there is nothing that you can do on your Firebox to block it, unless you run all inbound email through your Firebox before it reaches M365 servers or your M365 logins run through your Firebox.

    Setting up the Security Defaults in the Azure AD console will mitigate over 99.9% of those types of email account compromises.

    Gregg Hill

  • Regarding my "unless you run all inbound email through your Firebox before it reaches M365 servers or your M365 logins run through your Firebox" comment, I know nothing about the Access Portal, so I don't know if it is supposed to block logging into M365 accounts. If you have logins allowed from anywhere, then the firebox won't do anything to protect you.

    If your M365 logins are like the rest of the world's accounts where anyone can try to log into M365, then you may want to look into Conditional Access in your M365 account, plus enabling the Security Defaults.

    Gregg Hill

  • Gregg - I think maybe you misunderstood my ask (maybe I wasn't clear enough either)... O365 is O365 and has nothing to with that customer's M370 cluster, or my ask.

    Rather the BEC was a catalyst to prompt me to look at what we can do to protect services that we run on prem (not just at this client site, but all our other client sites too) behind WG products in the same fashion where we'd lock those services down with GeoBlocker. But in this case I'm looking to block access from known VPN service providers IP subnets and known TOR exit nodes too.

    dcc

  • I understood that you are "looking to block access from known VPN service providers IP subnets", but I thought you meant that you wanted to protect Microsoft 365 from those subnets, so yes, I did misunderstand you a bit!

    Gregg Hill

  • I have never tried it, but does Application Control work on inbound connections?

    Gregg Hill

  • Yeah - now that would be challenge!

  • No - I don't think AC will work. AFAIK, traffic coming out of these VPN and Tor nodes is just standard traffic without any markings in them.

  • @dcolpitts said:
    No - I don't think AC will work. AFAIK, traffic coming out of these VPN and Tor nodes is just standard traffic without any markings in them.

    Good point.

    Gregg Hill

  • Almost every week it seems that I see that some vendor has started a VPN product.

    And, I doubt that VPN vendors would publish their list of IP addrs for any particular country as that would make it easy to block access from them, so coming up with lists for these would not be trivial, and would be changing periodically.

Sign In to comment.