Forum Discussion
li_eric
Aug 14, 2024Copper Contributor
Exchange Server 2016 Under Continuous EWS Attack
Our organization has been experiencing persistent malicious attacks on our Exchange Server 2016. Initially, we noticed that some user accounts were being locked out unexpectedly. Upon investigation, we found that the source of these lockouts was the Exchange Server.
The logs from IIS (located at C:\inetpub\logs\LogFiles\W3SVC1\) and the EWS logs (C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Ews) contained records of failed requests from malicious IP addresses.
# From C:\inetpub\logs\LogFiles\W3SVC1\
2024-08-13 12:32:50 10.x.x.x POST /EWS/Exchange.asmx &CorrelationID=<empty>;&cafeReqId=855b48d1-102a-45b5-af50-d058c36da902; 443 - 112.96.222.2 - - 401 1 2148074252 65
#From C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Ews
2024-08-13T12:32:50.332Z,855b48d1-102a-45b5-af50-d058c36da902,15,1,2507,39,,Ews,autodiscover.domain.com,/EWS/Exchange.asmx,,NTLM,false,,,,,112.96.222.2,EXCHANGE-2,401,,,POST,,,,,,,,,661,,,,,,,,,,,,,,,5,,,,,,,,,,,,,,5,,5,5,,,,BeginRequest=2024-08-13T12:32:50.327Z;CorrelationID=<empty>;SharedCacheGuard=0;EndRequest=2024-08-13T12:32:50.332Z;,,,,,,
It appears that the attackers are exploiting the EWS (Exchange Web Services) to gain access. However, completely shutting down EWS is not an option for us, as it is used by third-party applications to synchronize calendars.
I would like to understand if the attackers are exploiting any specific vulnerabilities and if there are ways to protect our system from these attacks. Any advice or shared experiences from others facing similar issues would be greatly appreciated.
No RepliesBe the first to reply