Forum Discussion

li_eric's avatar
li_eric
Copper Contributor
Aug 14, 2024

Exchange Server 2016 Under Continuous EWS Attack

Our organization has been experiencing persistent malicious attacks on our Exchange Server 2016. Initially, we noticed that some user accounts were being locked out unexpectedly. Upon investigation, we found that the source of these lockouts was the Exchange Server.

The logs from IIS (located at C:\inetpub\logs\LogFiles\W3SVC1\) and the EWS logs (C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Ews) contained records of failed requests from malicious IP addresses.

 

 

# From C:\inetpub\logs\LogFiles\W3SVC1\
2024-08-13 12:32:50 10.x.x.x POST /EWS/Exchange.asmx &CorrelationID=<empty>;&cafeReqId=855b48d1-102a-45b5-af50-d058c36da902; 443 - 112.96.222.2 - - 401 1 2148074252 65


#From C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Ews

2024-08-13T12:32:50.332Z,855b48d1-102a-45b5-af50-d058c36da902,15,1,2507,39,,Ews,autodiscover.domain.com,/EWS/Exchange.asmx,,NTLM,false,,,,,112.96.222.2,EXCHANGE-2,401,,,POST,,,,,,,,,661,,,,,,,,,,,,,,,5,,,,,,,,,,,,,,5,,5,5,,,,BeginRequest=2024-08-13T12:32:50.327Z;CorrelationID=<empty>;SharedCacheGuard=0;EndRequest=2024-08-13T12:32:50.332Z;,,,,,,

 

It appears that the attackers are exploiting the EWS (Exchange Web Services) to gain access. However, completely shutting down EWS is not an option for us, as it is used by third-party applications to synchronize calendars.

I would like to understand if the attackers are exploiting any specific vulnerabilities and if there are ways to protect our system from these attacks. Any advice or shared experiences from others facing similar issues would be greatly appreciated.

No RepliesBe the first to reply

Resources