question

JohnRezek-8844 avatar image
4 Votes"
JohnRezek-8844 asked ToryjaneDillman-5497 commented

I'm receiving security travel alerts from Office 365 from user logon in Tanzania

I have multiple users getting logon message alerts sent to me that they logon from Tanzania all with AT&T phone equipment. Technical staff tell me it is a false positive due to AT&T IP6 issues. Is this true? Should I be concerned?

The user performed an impossible travel activity. The user was active from 73.192.213.22 in United States and 2600:387:5:807::9f in Tanzania within 718 minutes.

not-supported
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Another thread with the same symptoms: https://docs.microsoft.com/en-us/answers/questions/548596/ip6-on-atampt-causing-impossible-travel-alerts-fro.html
Sounds like it could be an IPv4 to 6 mapping issue with the carriers themselves or at the gateway where ISP traffic is routed to Microsoft.

0 Votes 0 ·
vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered vipulsparsh-MSFT commented

@JohnRezek-8844 Thanks for reaching out.

If that is a network carrier issue, you cannot do much here, apart from raising it with them. Few things you would want to consider is making sure that the user is legitimate by confirming with user and removing false positive. Hope you already have MFA or password less configured on your tenant.

If after your investigation with AT&T , this turns out to be a real issue, to reduce the false positive , filter the logs only for successful logins. So that you can investigate the real entries from the huge noise that you might be getting.




Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

These are successful logins from the AT&T carrier and the reason for my concern. Thank you.

0 Votes 0 ·

We are seeing this with Verizon also. I think this is an MS issue miss-classifying these IPs

0 Votes 0 ·

@JohnRezek-8844 @TexasAdmin-3202 @BrianWilliams-0718 the PG is aware about this and working in order to mitigate this. This has a dependency on third party where the work is going on already. Should be fixed soon.

0 Votes 0 ·
BrianWilliams-0718 avatar image
1 Vote"
BrianWilliams-0718 answered SterlingCharles-3145 commented

We started seeing this last Thursday, we're getting Sprint, T-Mobile and Verizon IPv6 networks flagged as Tanzania. I posted this at @msftsecurity today via Twitter they replied that they know that this is an issue. I did report the issue as advised via the Microsoft Support Portal, the Microsoft Team quickly closed the raised ticket that there's no issues. So...not sure what's up.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Same here. Traffic, from all carriers, being routed through Tanzania. I checked the History and this has gone on since March, but we just started receiving the Alerts for Impossible Travel.

0 Votes 0 ·