Excessive no. of failed logon attempts from Exchange servers

Frequent Visitor



There are excessive no. of failed logon attempts from Exchange servers. Issue has been identified in Q-Radar SIEM tool by SOC team as source of all these failed logon attempts originate from Exchange servers.


Upon checking event logs of Exchange server event id 4652 is logged every minute for random exchange users. There is no impact on user end but our security team raised concerned to find out why there are these failed logon attempts originating from exchange servers


Environment is Exchange server 2019 in DAG mode. Total 6 servers, 3 on PR & rest 3 on DR site in a single DAG. No recent changes. Unable to find the reason of failed logon attempts.

0 Replies