Exchange Server Hacks: Notes From The Field
Cybersecurity is a top concern for everyone in the banking and financial sectors, and credit unions are no exception. The speed at which bots discover and target internet-facing Exchange Servers underscores the need for a variety of security solutions to minimize attack surfaces.
In our fifth and final case, we examine what happened when a credit union enabled external Outlook Web email to accelerate work-from-home during the Covid pandemic.
When COVID-19 arrived, it made perfect sense for the Credit Union to enable external Outlook Web (OWA) and enact their work-from-home procedure. Outlook Web was already used internally and is the ideal tool for staff to continue working remotely.
However, within days of publishing OWA, the Credit Union’s help desk became inundated with password reset requests. And, when the IT support team undertook significant efforts to investigate the issue manually, they determined that the OWA Login page was the target of a password spray attack. Their Active Directory account lockout policies were constantly triggering and preventing legitimate employees from gaining access and performing their work.
Targeting Exchange Server messaging services and protocols like Autodiscover, ActiveSync, ECP, EWS, and OWA, can create breaches exposing proprietary data, email accounts, and internal network access. At the same time, attack failures overwhelm help desks and security teams with recovery from user lockouts and investigative analysis.
It was these concerns that led their Exchange Server messaging team to Messageware in search of a comprehensive additional security solutions to:
- record all access activity
- provide automated alerts
- dynamically block login attacks
- simplify monitoring and analysis of security data
By installing Messageware EPG (Exchange Protocol Guard) to monitor and protect essential Exchange Server messaging protocols and services, the organization was able to use OWA with confidence now that they had a variety of tools and automated security for future password spray attacks and active directory lockouts.