Working with Dark Web Monitoring

Dark Web Monitoring matches the account detected to the account in Azure Active Directory and Spanning Backup for Microsoft 365. The resulting matrix is Azure AD: Active, Deactivated, and Deleted; and Spanning: Protected and Not Protected.

• Spanning Protected – There is a Spanning Backup for Microsoft 365 license associated with the account.
• Spanning Not Protected – The account is not licensed for Spanning Backup for Microsoft 365.
• Azure AD Active – The account was found in Azure AD and is not disabled.
• Azure AD Deactivated – The account was found in Azure AD and is disabled.
• Azure AD Deleted – The account was not found in Azure AD. Note, this may include email aliases.

At Spanning, we are happy to deliver one of the most requested features for our Dark Web Monitoring capability since the service was announced. Spanning Administrators can now resolve compromised records so that the records are removed from the list of compromises.

To review and resolve compromised records

1. Get started by navigating to the Dark Web tab.
2. With the compromise list in view you can select, search, or filter the records in the compromise list.
3. Once you have either selected or filtered the list you have these resolution options:
   • Resolve – Resolves only the selected items in the compromised list.
   • Resolve All (filtered) – Resolves all compromised items in the current view. If the view is filtered, only the filtered items are resolved. If the view is not filtered, all items are resolved, clearing the list. If you choose a large list of records to be resolved, they are processed in batches of 500. The process may take a few moments to complete.

NOTE  Once you confirm the action to mark compromised records resolved, they no longer display in Spanning Dark Web Monitoring. The records cannot be retrieved. This action is logged in the Activity log (for details, see Viewing Application Activity).

Selected records example:

Filtered records example:

When Spanning Backup for Microsoft 365 receives breach data for a domain, it may include the entire plain text password or a password hash. Spanning truncates the password to 10 characters and masks the last 5 before storing it in our database or showing it to an administrator. We feel that the IT Admin doesn't need the whole password to have a conversation with the person who is breached. They can say, "Do you still use a password that starts with passw*****?" and still have a meaningful conversation about the significance of strong passwords and password security.

Spanning Backup for Microsoft 365 Dark Web Monitoring is domain-level protection. Domains in the tenant are evaluated for compromised credentials. The result of this monitoring can include accounts that are associated with your domain but may not be active in Azure Active Directory. For example, the Acme Corp Marketing department maintains a social media presence using marketing@acmecorp.com. This marketing address is not associated with an Azure Active Directory account, it is just an email alias. This email address and the password mypass@word are used to secure Canva, Twitter, Facebook, and Instagram. If these credentials are part of the Instagram or Canva breaches, they would display in the Dark Web Monitoring report as marketing@acmecorp.com and mypas*****. Even though there is no user account in Azure AD, this breached account represents a risk to the Acme Corp social media presence if the password is reused.