We are seeing HTTP status code 241 in IIS logs taken from compromised
Exchange servers - is this something that anyone else has noticed or is
there someone at Microsoft who can collaborate this unusual code
appearing in logs?
@Nino Bilic Thanks Nino. I saw that and just ran it this morning. Came
back clean. So I feel based on the information we have up to this point
we were very lucky. Do you think it can be said with reasonable
confidence that if all you found were Autodiscover log entries and MSERT
did not find anythin...
@JamesTechnet - FYI, there is a new development that can help here (with
remediation): the MSTIC team has updated their post about March
vulnerabilities (scroll all the way down) to mention that the Microsoft
Safety Scanner - MSERT tool has been updated to scan Exchange server.
Hey everyone, Regarding folks who only saw autodiscover attempts for the
administrator email (myself included), I made a poll on Reddit to try to
gather more info to see if everyone who had further signs of compromise
such as webshells being dropped actually had an active administrator
account. If y...
Latest Comments