IAM Event - Multiple Account Locks

Event

Account Locks - three or more lock actions for any connected SaaS application within 12 hours.

Recommended action

Contact the customer or user and make them aware of this event. If it is not several admin suspensions, this event indicates an active ongoing attempt to execute a brute force login attack on the user account. The account should be secured by forcible logout from all devices (if the SaaS product provides this functionality), resetting the user password using complex password best practices, and enabling multifactor authentication (MFA) if offered and not enabled. If this problem persists, it is advised to create a new login account for this user and remove the account which is under persistent attack. If the account is associated with a user mailbox, the previous account can be added as an alias to the new user account.

Alert type

Low alert

Supplemental information

The Multiple Account Lock event logic is unique to SaaS Alerts, and this event is not created by Microsoft internally. Microsoft Conditional Access rules do not prevent a user account from completing a sign-in. Instead, they allow the account sign-in to proceed and after the account is signed in Conditional Access chooses to allow or block interaction with Microsoft 365 assets.

Hackers do not know if Conditional Access rules are in place or not, so they may attempt to guess the correct credentials using sign-in automation and in doing so lock the account.

The Multiple Account Lock event occurs when a user (or more commonly a hacker or bot) attempts to log in to the account 10 or more times in rapid succession. Microsoft then locks the account. The account is unlocked after 15 minutes. If the hacker or bot tries again and re-locks the account, SaaS Alerts tracks that activity. If the account is locked by this repeated action more than three times within 12 hours, SaaS Alerts creates the alert.

The Multiple Account Lock event is designed to inform the MSP partner (and by extension their customer) that a particular account is under active reconnaissance or attack. It is prudent to make certain that these accounts have strong passwords, and hopefully, MFA enabled. The repeated indication of account locks is a great way to demonstrate to a customer that they need MFA enabled and enforced if they are reluctant to do so.

VIDEO Watch this video for more information on account locks.

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!
	Provide feedback for the Documentation team.