Note: this post is getting frequent updates; please keep checking back. Last update: 3/19/2021
Microsoft has released a set of out of band security updates for vulnerabilities for the following ver...
Updated Mar 19, 2021
Version 44.0
Blog Post
Hey everyone,
Regarding folks who only saw autodiscover attempts for the administrator email (myself included), I made a poll on Reddit to try to gather more info to see if everyone who had further signs of compromise such as webshells being dropped actually had an active administrator account. If you wouldn't mind sharing your experiences so far the thread is here: https://www.reddit.com/r/exchangeserver/comments/lyr2lr/if_you_were_compromised_by_the_latest_0day_hack/
What's interesting is the theory has been that if you did not have an active admin email, the attackers seemed to give up and move on. But there were people who responded to the poll saying they were compromised even though they did NOT have an active admin email (obviously small sample size so far, but still).
So I continue to wonder what the administrator autodiscover probing means and why the attackers didn't go further (at least that we know of so far) as happened with others.
If anyone else can share some information on these autodiscover indicators and can confirm they were probes only, I'd love to hear it.
Thanks!