Note: this post is getting frequent updates; please keep checking back. Last update: 3/19/2021
Microsoft has released a set of out of band security updates for vulnerabilities for the following ver...
Updated Mar 19, 2021
Version 44.0
Blog Post
Question to everybody who only has the Autodiscover indicators: When you correlate those events to the IIS logs, are you seeing a POST /ecp/y.js?
I have 2 Autodiscover indicators that were thrown by the detection script. Looking at the time of these events in the IIS logs, for the first event on 2/28 I see the attacker first did a GET /ews/ which returned a 401 and then a POST /ecp/y.js which returned a 200. For the second event on 3/3 the attacker did a GET /ews/ again with a result of 401 and then a POST /ecp/y.js again with result 200.
Does anyone know what that means? I've searched for y.js and there is no such file. Is that just how they run the Autodiscover attempt by sending a POST to a phantom file? Or is something else going on? Why would the status code be 200?
Any help would be greatly appreciated!