It's real, I also received it, I checked my login attempts and something was strange, so I removed the user who was accessing and generating the alerts.
I suggest you enable Multi-Factor Authentication.
on the dashboard, under login attempts I cant see any unauthorised logins and all successfull logins are from legitimate users. No suspicious IP addresses.
So not entirely sure which account was compromised.
Same for us,
the subject is "[Important Notice] Action Required: Unauthorized Login to Your Meraki Dashboard"
by lemur.mktdns.com [184.108.40.206].
It actually looks like a fake email, I completely agree, but I noticed a strange login on my dashboard about another user, so I decided to remove that user just to be sure. I didn't click on any links because I didn't trust that email either.
I think it's sent from a marketing/mass-mail company Meraki uses. I checked other previous legit emails I've received from Meraki in the past and they also came from mktdns.com
I also received this but it seems like none of my coworkers did. I haven’t been able to check headers of the email or dashboard activity yet as I’ve been on mobile since I got the email. I was going to reach out to Meraki support to see if it’s legit or get more info, I have access to 100 different Meraki orgs so I’m not sure if it’s saying my own account was suspicious or a user on any org I have access to was suspicious
EDIT: After going through every organization I have access to, I did find one with dozens of login attempts on a certain account from many different IPs. The account does show having MFA enabled but many of the logins were successful
I got another email one last night, and looking at the login attempts on dashboard no failed logins or anything suspicious.
case opened and spoke to Meraki looks to be a legitimate notification
Very odd never had this alert before but started now. I assume some changes done on the portal side for these alerts to come thru.
This alert is becoming more annoying than anything. A coworker of mine received it two days after I did, but without any additional info it'll be impossible to act on. We have close to 100 networks we manage, it's not sustainable to look through the login attempt section of 100 organizations. I don't see this info accessible via the API either
I got one of these a 2 weeks ago (which I missed as I was on holiday) and then this morning.
Checked and there's been multiple failed aand sucesfull logins to a second admin account from all over the world.
admin2 is the compromised account. admin1 is mine.
|firstname.lastname@example.org||220.127.116.11||, Turkey||Login||Failure||Sat, 03 Dec 2022 16:32:22 GMT|
|email@example.com||18.104.22.168||Los Angeles, CA||Login||Failure||Sat, 03 Dec 2022 14:25:11 GMT|
|firstname.lastname@example.org||22.214.171.124||Clinton, MD||Login||Success||Sat, 19 Nov 2022 23:20:38 GMT|
|email@example.com||126.96.36.199||Barnsbury, United Kingdom||Login||Failure||Fri, 18 Nov 2022 05:41:00 GMT|
|firstname.lastname@example.org||188.8.131.52||, Russian Federation||Login||Failure||Wed, 16 Nov 2022 17:19:25 GMT|
|email@example.com||184.108.40.206||,||Login||Failure||Fri, 11 Nov 2022 01:07:37 GMT|
|firstname.lastname@example.org||220.127.116.11||Chisinau, Moldova||Login||Failure||Wed, 09 Nov 2022 17:01:43 GMT|
|email@example.com||18.104.22.168||, Australia||Login||Failure||Wed, 09 Nov 2022 16:54:31 GMT|
|firstname.lastname@example.org||22.214.171.124||, Canada||Login||Failure||Wed, 09 Nov 2022 14:41:08 GMT|
|email@example.com||126.96.36.199||Amsterdam, Netherlands||Login||Success||Fri, 28 Oct 2022 22:15:33 GMT|
|firstname.lastname@example.org||188.8.131.52||London, United Kingdom||Login||Failure||Sun, 23 Oct 2022 22:24:20 GMT|
|email@example.com||184.108.40.206||Sheridan, WY||Login||Failure||Sun, 23 Oct 2022 15:38:49 GMT|
|firstname.lastname@example.org||220.127.116.11||,||Login||Failure||Wed, 12 Oct 2022 12:18:20 GMT|
|email@example.com||18.104.22.168||Amsterdam, Netherlands||Login||Failure||Tue, 11 Oct 2022 20:50:44 GMT|
|firstname.lastname@example.org||22.214.171.124||, China||Login||Success||Sat, 08 Oct 2022 19:08:14 GMT|
|email@example.com||126.96.36.199||Frankfurt Am Main, Germany||Login||Success||Sat, 08 Oct 2022 09:23:25 GMT|
|firstname.lastname@example.org||188.8.131.52||Tuusula, Finland||Login||Success||Mon, 03 Oct 2022 20:23:18 GMT|
|email@example.com||184.108.40.206||Moskva, Russian Federation||Login||Success||Mon, 03 Oct 2022 06:21:11 GMT|
|firstname.lastname@example.org||220.127.116.11||, Turkey||Login||Success||Sun, 02 Oct 2022 20:19:32 GMT|
|email@example.com||18.104.22.168||, United Kingdom||Login||Failure||Fri, 30 Sep 2022 04:27:16 GMT|
|firstname.lastname@example.org||22.214.171.124||Montauban, France||Login||Failure||Fri, 30 Sep 2022 03:50:17 GMT|
|email@example.com||126.96.36.199||, United Kingdom||Login||Failure||Wed, 28 Sep 2022 14:11:59 GMT|
|firstname.lastname@example.org||188.8.131.52||, China||Login||Failure||Tue, 27 Sep 2022 17:44:48 GMT|
|email@example.com||184.108.40.206||, Germany||Login||Failure||Tue, 27 Sep 2022 06:51:20 GMT|
|firstname.lastname@example.org||220.127.116.11||, United Kingdom||Login||Failure||Tue, 27 Sep 2022 00:52:51 GMT|
|email@example.com||18.104.22.168||, Poland||Login||Failure||Mon, 26 Sep 2022 10:47:34 GMT|
|firstname.lastname@example.org||22.214.171.124||, Canada||Login||Failure||Mon, 19 Sep 2022 22:51:48 GMT|
|email@example.com||126.96.36.199||, United Kingdom||Login||Failure|
Thu, 15 Sep 2022 02:22:15 GMT
What's strange is this admin2 account was created about 6 years ago and never used.
What's more confusing is that the persons email account never got any of the emails with a confirmation code to login with. (perhpas something with it being so old it doesn't get it?)
What's not confusing is what they were up to...
|Command Line request||command: powershell (Get-ADComputer -Filter *).Count|
|Command Line request||command: net users /domain|
PC it was run on seems fine, run 3 different AV/Anti malware and Autoruns.(open to anything else worth running on it)
other 5 PCs on the network we've run the above and seem fine.
Unfortuantly all the event logs have rolled over from the date it occured 😞
I won't lie, admin2 probably had a crappy password but not sure how they got around the email alerts.(will be looking at uses laptop soon)
Awaiting a call from Meraki now to speak to them about it... will update if anything interesting... Merry Christmas!
Meraki support person called and proceeded to read from a corporate comms stating how they've seen this activity accross multiple clients and should change passwords blah, blah, blah
Offered to have their security team reach out, which I said yes and if they can answer why the 2fa email didn't come through.
Checked the users laptop and it's fine and O365 logs show no emails from Meraki to them...