Office 365 Overseas MFA Failure

Title of the alert: “Overseas MFA Failure”

Description: Alerts when a user and password pair were successfully authenticated,  and where there the Multi-Factor Authentication (MFA) step failed, and, the login is suspected to have happened from an overseas location.

Options:

  • It is possible to ignore specific IP addresses
  • It is possible to ignore specifics users

The problem: This alert is triggered when a username and password is accepted, however the Multi-Factor Authentication step fails and the location is overseas.

Impact: If it is from overseas, and you do not have any staff members overseas, then it may be an indication of an account breach (intrusion) – or a near account breach, with the username and password being compromised.

Suggested steps: Engage a technician to confirm that the alert is accurate, and if so then the technician should suggest and undertake suitable mitigation steps to remedy the situation, including an immediate change of password for the impacted user.