Forum Discussion

Jeff Harlow's avatar
Jeff Harlow
Iron Contributor
Jul 31, 2018

Local User Account Brute Attack with EOP

Have a Hybrid scenario with Exchange 2010 on-premise.  I have a program that monitors user account lockouts.  Recently we have noticed several user accounts being locked out, which appears to be a brute attack originating from our Exchange Server.  The User accounts are not being locked out from the O365 side and user accounts are protected with MFA.  The logs from the program point out that the attack is from our on-premise Exchange server.   My question is, the setup on this server has remained the same since we migrated to the cloud (ports, services, etc.)  Microsoft support which is limited when it comes to Hybrid scenarios only would tell me that all of the services and ports are necessary to keep the Hybrid operational.    So with that, is there any other recommendations to reduce these account lock outs.  Thanks. 

  • Adam Ochs's avatar
    Adam Ochs
    Steel Contributor

    Hello Again Jeff!

    It is always rough when you have the problem/attack coming from you on-prem, as you do need to keep that open and communicating with O365 to ensure a smooth coexistence. I will say I think your solution is going to have to live outside of that, as you will struggle when you try to mess with the federation/coexistence. As such I would look at this as a security issue on prem not through the hybrid connection.

    1. The most obvious is to put in place measures to watch/monitor the on-prem exchange better. Putting in place IP blocklists, or using your local firewall to try to keep specific ips/locations out may be best. Everything else is going to be somewhat half measures as they will block stuff through o365 but not through a direct login/access to your on-prem.

     

    from there:

    2. I would probably approach this from an identity/access stand point.

    Standing up claims rules in ADFS would probably work best, you can just block login access from unknown places. Azure AD can do this somewhat, as well. I am unsure if you would need your onprem server in there (but blocking AzureAD probably doesn't block the direct access to the exchange on prem).

    Hope this atleast helps gets ideas flowing.
    Adam

    • Jeff Harlow's avatar
      Jeff Harlow
      Iron Contributor

      Thanks for the response. I am waiting for it to happen again and see if I can tie the instance in with active IP addresses.  We do not have a lot in place for monitoring as we are a small business. I was hoping MS would provide a reasonable solution like to enable direct IPs for their services only to connect to our Exchange server, but that was not the case.  We will not get our local AD out of this equation fast enough...   We do not have ADFS in place. The goal is to get all of our services/servers in Azure and remove the local premise servers. 

Resources