Reconnaissance using account enumeration - how to troubleshoot

Copper Contributor


I have a new install of ATA on 6 DC's.  2 DC's are in Azure space for our AD Connect sync/ADFS.  Is this alert a common occurance seen on ADFS/WAP servers? safe to create an exception?


Shortly after the ATA lightweight gateway was installed on the 2 DC's in Azure this started to report "Reconnaissance using account enumeration" originating from our ADFS servers (x2).  The two DC's in Azure chat with the 2 ADFS servers in Azure (other 4 DC's are on-prem).


I have read this MS article. But still need some assistance to identify if this is malicious or not. 


  • Total accounts guessed = 1012
  • Existing accounts found = 27 (many of these are disabled user accounts)
  • Non-existing accounts guessed = 984

Of the non-existing account I would guess about 1/2 of them are old or disabled accounts.  The other 1/2 appear to be guesses (IE:,,


For the accounts that were found and enabled.  I do see bad password attempts but are hours appart.  Perhaps this is a very slow brute force attack to not raise red flags or lock out the account?


Thanks, any tips or comments is appreciated.


5 Replies

Azure AD Connect servers are typically causing false positive-alerts and could be excluded under "Suspected DCSync attack (replication of directory services)":



@Joel Jerkin 

Thanks for the reply, however, in this case AD Connect or replication of DS is not involved in this scenario.



We are not familiar with such cases.

I will recommend to verify it against ADFS and AD Connect product group, if there are built-in process that are doing such behavior.


As already being shared the known issue we are familiar is with replications.




@DrewP2400 The accounts that have been uncovered, are they on ? In which case it could be a low and slow attack using a list obtained from a breach. Do you have ADFS Proxies as well? Could you put Smart Lockout on? Are you already using Azure MFA?

@DrewP2400  I have also this issue did you solve it???