Understanding Office 365 Impossible Travel

Impossible travel. Is it sending a human to Saturn or Venus? Well maybe, but in the context of Microsoft Office 365, Impossible Travel is a security feature that is a great indicator of potential hacking attempts. The concept is straightforward. If you login to Office 365 from your office in Boston and then 20 minutes later you try to login from Dallas, or you login from home in Chicago and five hours later from Beijing, Office 365 basically says “wait a minute, that’s impossible” and it denies login from Dallas and immediately sends an IT security alert. Get tips to optimize Impossible Travel here.

Impossible Travel is a security component of Microsoft Cloud App Security, providing advanced threat detection across the cloud environment. The anomaly detection policies provide immediate detections, targeting numerous behavioral anomalies across users and the machines and devices connected to an organization’s network.  

The security alerts generated by Impossible Travel provide detailed information on over 30 different risk indicators, including:

• Risky IP address
• Login failures
• Admin activity
• Inactive accounts
• Location
• Impossible travel
• Device and user agent
• Activity rate

This default rule in Office 365 has built-in intelligence through machine learning that also limits the number of false positives over time. For example, at Daymark most of our employees login from our office in Burlington, MA, but our Azure servers are located in Virginia. Office 365 has learned that this is not an anomaly that should trigger an alert, but rather normal behavior for our business.

Given the increased sophistication and frequency of cyberattacks, enterprises must be extremely vigilant. Identifying abnormal usage and gaining enhanced visibility into any and all potential threats is an important tool in the war on cybercrime.

Here are examples of a couple of alerts we’ve had at Daymark in the past (actual names and IP addresses have been partially obscured for privacy).

This alert tells us that one of our employees tried to login to our servers from both the U.S. and Poland within 344 minutes. That’s a little under 6 hours. Given that a non-stop flight from New York to Warsaw is 8 hours 20 minutes (without delays which almost never seems to happen these days!) this attempted login would be impossible.

This second alert is similar showing failed logins from the U.S. and then from Vietnam in a little more than 6 hours. Additionally, these alerts show that the IP address had not been used in 66 days which in itself would be highly unusual for an active employee.

Being able to identify risky authentication attempts enables enterprises with Office 365 another level of protection against phishing and other social engineering attempts. If you want to learn more about a secure Office 365 deployment, contact us. Daymark is a Microsoft Tier 1 Cloud Service Provider with Gold Cloud Platform and Gold Cloud Productivity competencies. Both of these competencies are achieved through multiple business and technical certifications as well as positive customer feedback and solid execution, ensuring our consultants have the expertise to provide a smooth and secure Office 365 migration. In addition, we offer design, deployment and on-going management of Azure to help your team jumpstart the adoption of this cloud platform.

If you are interested in learning more about Microsoft Cloud App Security or need help implementing a comprehensive strategy Daymark can help. Click here to get started and checkout the fun gifts we have when you schedule a 20-minute meeting with us.