I had Microsoft teams open in browser, for work, nothing else work related open. Turned on PIA (Poland IP, I’m in UK) and then received a message from IT:
“you appear to be using PIA VPN, can you please switch it off as it’s generating alerts”
How is this possible?
It’s their network. They’re monitoring all the traffic that goes through and have the ability to receive an alert when certain IPs/ports are accessed. It’s easy to detect when someone is using a VPN, the hard part is telling what they were using it for.
Microsoft Teams is part of Microsoft 365/Office 365.
O365 has some pretty strong security features, including identifying suspicious logins. If you typically login from the UK and suddenly are logging in from Poland, that will almost definitely trigger an alert as that’s a strong deviation from your normal login pattern. It’s not trying to play “gotcha” for using a VPN, but instead it’s alerting your IT team because that could be a sign that your account credentials were compromised.
It probably isn’t telling them it’s a VPN either - instead it probably alerted them to an unexpected login from Poland, and an IT tech or security analyst at your company did some research to determine it was a VPN and not necessarily an actual login from Poland.
There are databases / services that track VPN IP addresses. Probs got flagged as a VPN service and they either had the info that it was pia or they did a google search of the IP.
Every so often the client will ping about 50 servers… this repetitive ping looks suspicious to network admins and they flag you. This is how they know. I was booted off a customer’s network until we both (independently) determined it was the client. I turned off the client when it wasn’t in use.
They know which VPN endpoint IPs you connect to, they just don’t know what you do in the tunnel.
In O365 you can enable alerting to block sign ins from high risk countries. If your company has Poland in that list, you trying to sign in would flag an alert.
This is the same as if you account was compromised and somebody tried to sign in with your username and password in Poland.
It doesn’t even have a to be a high risk country to be fair. If you sign in the uk then 30 minutes later sign in in Poland, 365 flags this as “impossible travel” and flags for security.
OpenDNS Umbrella can detect and block PIA, and there are other ways too. Like AMP for Endpoints and AMP in the network devices. PIA’s entire network is also identified by their AS number too, so if there’s traffic going to a “unauthorized” AS number network, that’s a handy alert to have.
It all depends on the local network, and their policies. Some IT shops are very strict, like banks and such, while other places are more lenient or even downright unconcerned.
If you needed data services and wanted to use PIA in this environment then perhaps an AirCard or an iPhone Personal Hotspot would be warranted. I often times consider these factors when I’m a guest in someone else’s network. Sometimes it’s best to simply bring your own everything, then trip alarms and start suspicions.
Your work computer already runs through a corporate proxy. When you attempt to connect from a disallowed IP range, you get flagged.
Even when I’m not on their network? And only signed into ms teams?
Exactly. I have had account logins from Russia, Brazil, African countries after getting my cookies phished somehow by going to random websites on Google (even with 2 factor login). So it is important for Microsoft to do this.
Good to know, but it’s not what’s happening here.
PIA/VPN services have their own AS numbers?!
Whenever you visit a site, the site knows what IP address you are accessing it from. That is all that the company would need to know that you are using PIA.
You can see where anyone is logging in from using the admin portal of office 365 as its all cloud based, you can also set it up to send alerts or block accounts from logging in from certain countries, like Nigeria or India if you’re a UK company.
They 100% got an alert, checked the IP address and saw that PIA own it.
My advice, setup a work profile in your browser (I know chrome supports this), then use your personal profile with the PIA extension.
Yeah, I got a message from our security team noting I logged in from France five hours after logging in from the USA. Happened to be I was in France but didn’t enable the company VPN in time, I suppose.
Yup. Found it out when a website declined to serve me web traffic and spit up the AS number as being offensive. So, for those sites I have Firefox set with a split tunnel by app and that works fine. LOL. The little things you discover with overly descriptive error pages. 
MY personal advice is for OP to leave personal activities far away from work related activities as we could give an iron clad suggestion and all it takes is a mistake or leak and boom - back to being detected.
Work is work.
Fascinating. Can you share the (scrubbed) url so i can also experience this? I was also wondering, just from the IP it’s not going to say PIA… It’s just going to be the transit providers host name etc, so I’m curious what looking glass thingy were you looking at…
If using teams on browser and not the app, this sounds like a BYOD work environment.
In which case, I would definitely recommend another browser for profile for work that is free of all personal browsing, saved passwords, extensions and cache.