Some days ago an internal user of the company where I work, changed his email password. All the email accounts are hosted on an internal mail server that is not MS. After the password change, the user updated it on all his devices but his account began to be blocked due to repeated failed attempts to log in. After making sure all their devices were turned off, we saw that the attempts were continuing. Looking at the logs on our FW, we see that a Microsoft IP (184.108.40.206) is trying to log externally to our mail server all the time:
imap - authentication failed for [firstname.lastname@example.org] (external LDAP auth failed, LDAP error: - unable to ldap authenticate: invalid credentials)
The user assures us that he uses Office on her iPhone but there he no longer has the account configured or on any other device (checked).
My question is: how is it possible that a Microsoft IP is trying to connect through a high port to an LDAP? What would the user have to do to achieve this and where could I start to investigate to delete this configuration?