There is no shortage of tools available for enumerating the users in a Microsoft 365 tenant (AKA Office365) and testing password security. But what do these 'attack tools' look like from a blue team perspective and what can you do to alert yourself of their use.

This blog lists the User Agents used by specific attack tools (in their default settings) as recorded in both the Security Center's Unified Audit Logs (UAL) and the Defender for Cloud Apps Activity Log.

BAV2ROPC

I have observed the User Agent "BAV2ROPC" in brute-force attempts and password spraying activity. BAV2ROPC's appearance is likely is determined by the use of legacy clients and authentication such as IMAP.

Whilst I wasn't able to find any specific documentation for it, I figured BAV2ROPC is an acronym for "Basic Authentication Version OAuth2 Resource Owner Password Credentials".

It is worth noting though, the User Agent itself is not necessarily an indication of attack. From my experience the User Agent "BAV2ROPC" is also often noted for legitimate logons by legacy clients using legacy authentication (typically service accounts).

You should be able to identify pretty quickly if the authentication is legitimate or not through IP geolocation, reputation etc. but also be on the lookout for multiple 'UserLoginfailed' operations which are followed by a 'UserLoggedIn' operation involving the UserAgent.

See below for some screenshots of what BAV2ROPC authentication activity looks like in the UAL and Azure Active Directory Sign-In Logs.

Creating Activity Policy

Defender for Cloud Apps offers you a chance to spot some of this activity by alerting on the use of 'suspicious User Agents'.

To do so, Create an Activity Policy based of the "Activities from suspicious user agents" policy template and add the User Agents you'd like to treat as suspicious which can hopefully give you the heads up on tenant scanning.