Microsoft 365: Attack Tool User Agents
There is no shortage of tools available for enumerating the users in a Microsoft 365 tenant (AKA Office365) and testing password security. But what do these 'attack tools' look like from a blue team perspective and what can you do to alert yourself of their use.
This blog lists the User Agents used by specific attack tools (in their default settings) as recorded in both the Security Center's Unified Audit Logs (UAL) and the Defender for Cloud Apps Activity Log.
M365 Attack Tool User Agents
MSSpray
UAL: python-requests/2.25.1
Activity Log: ;;Python Requests 2
O365Spray
UAL: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0
Activity Log: Mac OS X 10;Firefox 69.0
Spray365
UAL: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
Activity Log: PC, Windows 10 10, Chrome 94.0
Go365
UAL: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
Activity Log: Windows 7;IE 10.0
ROADRecon
UAL: python-requests/2.25.1
Activity Log: ;;Python Requests 2.25
PowerShell (Connect-ExchangeOnline)
UAL: Other
Activity Log: ;;Rich Client 4.30.1.0;
TeamFiltration V3.3
UAL: Mozilla/5.0 (Windows NT 10.0; Win64; x64; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763
Activity Log: ;Windows 10;Edge 18.17763;
TeamFiltration V3.5
UAL: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.3.00.30866 Chrome/80.0.3987.165 Electron/8.5.1 Safari/537.36
Activity Log: ;Windows 10;Chrome 80.0.3987
BAV2ROPC
I have observed the User Agent "BAV2ROPC" in brute-force attempts and password spraying activity. BAV2ROPC's appearance is likely is determined by the use of legacy clients and authentication such as IMAP.
Whilst I wasn't able to find any specific documentation for it, I figured BAV2ROPC is an acronym for "Basic Authentication Version OAuth2 Resource Owner Password Credentials".
It is worth noting though, the User Agent itself is not necessarily an indication of attack. From my experience the User Agent "BAV2ROPC" is also often noted for legitimate logons by legacy clients using legacy authentication (typically service accounts).
You should be able to identify pretty quickly if the authentication is legitimate or not through IP geolocation, reputation etc. but also be on the lookout for multiple 'UserLoginfailed' operations which are followed by a 'UserLoggedIn' operation involving the UserAgent.
See below for some screenshots of what BAV2ROPC authentication activity looks like in the UAL and Azure Active Directory Sign-In Logs.
BAV2ROPC UserLoginFailed Operation in the UAL
BAV2ROPC UserLoggedIn Operation in the UAL
BAV2ROPC in Azure Active Directory Sign-in Logs
BAV2ROPC in Azure Active Directory Sign-in Logs
'Passive' User Enumeration
Whilst not truly passive, some tools can enumerate users in a Microsoft 365 tenant without entering a password. This is done by looking at the codes returned by Microsoft infrastructure when entering a username.Â
When using these user enumeration techniques, as a password isn't entered the event is not recorded as a failed logon attempt in the tenant logs. This technique is used by tools such as O365Creeper but it can also be performed with BurpSuite.
Creating Activity Policy
Defender for Cloud Apps offers you a chance to spot some of this activity by alerting on the use of 'suspicious User Agents'.
To do so, Create an Activity Policy based of the "Activities from suspicious user agents" policy template and add the User Agents you'd like to treat as suspicious which can hopefully give you the heads up on tenant scanning.
Tools:
MSSpray - https://github.com/SecurityRiskAdvisors/msspray
O365Spray - https://github.com/0xZDH/o365spray
Spray365 - https://github.com/MarkoH17/Spray365
Go365 - https://github.com/optiv/Go365
ROADRecon - https://github.com/dirkjanm/ROADtools
TeamFiltration - https://github.com/Flangvik/TeamFiltration
Research correct as of September 2022.