Update 11/8/2022: We have now released November 2022 Security Updates for Exchange Server. Please install those (or newer) updates to address vulnerabilities mentioned in this post. Mitigations are n...
Updated Nov 08, 2022
Version 17.0
Blog Post
2 MIN READ
Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server
We got the very first probe blocked by the Fortigate. Look like just a scan.
The following intrusion was observed: MS.Exchange.Server.Autodiscover.Remote.Code.Execution.
date=2022-10-04 time=15:51:22 devname= devid= eventtime=1664923882026333990 tz="-0700" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="critical" srcip=95.154.230.15 srccountry="United Kingdom" dstip= srcintf="wan1" srcintfrole="wan" dstintf="LAN" dstintfrole="lan" sessionid=141565928 action="dropped" proto=6 service="HTTP" policyid=11 attack="MS.Exchange.Server.Autodiscover.Remote.Code.Execution" srcport=63259 dstport=443 hostname="mail.example.com" url="/autodiscover/autodiscover.json?email address removed for privacy reasons/owa/?&Email=autodiscover/autodiscover.json?email address removed for privacy reasons&Protocol=XYZ&FooProtocol=Powershell" direction="outgoing" attackid=50584 profile="high_security" ref="http://www.fortinet.com/ids/VID50584" incidentserialno=144550211 msg="web_app3: MS.Exchange.Server.Autodiscover.Remote.Code.Execution," crscore=50 craction=4096 crlevel="critical"