Organizations running Exchange Server SE always utilize firewalls to help protect the environment. These range from very expensive comprehensive systems with many features to firewalls with very basic security controls. I’m always surprised by the very diverse deployments across the many customer systems we encounter.
Why Traditional Firewalls and Geo-Blocking Fall Short
Some firewalls offer just basic level security with some packet level inspection. Next level firewalls may include geographic access controls and support for “Drop Lists”. Geographic blocking will either attempt to block “bad” countries or simply limit all access to the home country. “Drop Lists” attempt to block connections from known suspicious IP sources.
Even well-designed firewall solutions are far less effective today than they once were. Attackers have become significantly more sophisticated, and malicious activity now originates from IP addresses in traditionally “safe” regions. In addition, the pool of suspicious or compromised IP sources changes constantly. As a result, static or infrequently updated drop lists and basic geographic blocking no longer provide adequate protection on their own.
Exchange Servers routinely receive large volumes of non-user traffic, including automated systems probing for Exchange versions, mailbox data, and known vulnerabilities. We also see traffic originating from legitimate user IPs that have been unknowingly compromised by viruses or malware, as well as from malicious servers operated by cybercriminals and cataloguing systems scanning for server details. In short, a significant portion of incoming connections is illegitimate and poses ongoing security risk.
Here’s a sample of threat data captured by Messageware showing numerous live probing attempts blocked on one of our test servers. These types of attacks occur daily, target all Exchange SE environments and are often not detected by security teams.
| IP | Protocol | Agent | Country | ISP/Organization |
|---|---|---|---|---|
| 107.xxx.xxx.5 | Autodiscover | Mozilla 5.0 zGrab/0.x | United States | Digital Ocean |
| 91.xxx.xxx.112 | EWS | Mozilla 5.0/BaiduSpider 2.0 | Russia | Volgograd Oblast |
| 185.xxx.xxx.82 | MAPI/HTTP | AppleWebKit/605.1.15 (_like Gecko) | Seychelles | Datashield Inc. |
| 79.xxx.xxx.198 | OWA | Mozilla/5.0 zgrab/0.x | Bulgaria | Tamatiya EOOD |
| 134.xxx.xxx.24 | OWA | go-http client | United States | Hurricane Electric |
| 185.xxx.xxx.7 | Autodiscover | python-requests/2.31.0 | Romania | Timisoura |
| 185.xxx.xxx.7 | OWA | python-requests/2.31.0 | Romania | Timisoura |
| 185.xxx.xxx.7 | EWS | python-requests/2.31.0 | Romania | Timisoura |
| 185.xxx.xxx.7 | OutlookAnywhere | python-requests/2.31.0 | Romania | Timisoura |
| 91.xxx.xxx.9 | Autodiscover | Go-http-client/1.1 | China | Chang Way Technologies Co. Limited |
| 91.xxx.xxx.9 | OWA | Go-http-client/1.1 | China | Chang Way Technologies Co. Limited |
| 91.xxx.xxx.9 | EWS | Go-http-client/1.1 | China | Chang Way Technologies Co. Limited |
| 91.xxx.xxx.9 | OutlookAnywhere | Go-http-client/1.1 | China | Chang Way Technologies Co. Limited |
How Attackers Evade Detection from “Safe” Regions
A deeper look at this threat data highlights a common evasion tactic used to bypass standard geo-blocking. Several of the blocked attempts originate from the United States — typically considered a safe, whitelisted region. Organizations such as ShadowServer.org, Shodan.io and others probe and publicly catalog servers through well-known ISP’s and cloud providers. Attackers frequently exploit these domestic platforms as proxy networks, masking malicious traffic behind trusted infrastructure and rendering traditional “foreign country” blocklists largely ineffective. The user agents reinforce this: tools like zGrab, Go-http-client, and python-requests clearly indicate automated scanners — not human users — probing Exchange protocols such as OWA and EWS for weaknesses.
Legacy firewalls are not designed to detect this level of sophistication. Operating primarily at the network layer, they see only “valid HTTPS traffic on port 443,” without any understanding of Exchange-specific behavior. They cannot distinguish between a legitimate employee accessing OWA and an automated scanner running from inside a U.S. cloud data center. Without visibility into user-agent behavior, request patterns, or contextual anomalies, your attack surface remains exposed. This makes it essential to move beyond static, location-based rules and adopt dynamic, reputation-driven threat intelligence.
Effective Exchange Server security goes a step further. The strongest solutions can automatically detect and block suspicious IP sources based on behaviors unique to your environment. Utilizing live threat data feeds, and maintaining dynamic internal blocklists enables immediate responses when:
- Attackers target your servers, and/or
- Threat actors use high-volume brute-force attempts or slow, low-volume probing that slips past traditional controls
Enhancing Security with Intelligent, Exchange-Aware Protection
Messageware Exchange Protocol Guard (EPG) is designed to address these challenges by adding layers of intelligent, Exchange-aware protection. EPG automatically detects and stops both high-volume password-guessing attacks and long-term reconnaissance activity. And, it integrates directly with enhanced dynamic threat feeds, providing highly accurate, real-time intelligence on systems known to generate malicious traffic—and blocking those connections before they ever reach your server (as illustrated in the sample data above).
Secure your Exchange Server. Stop AD lockouts. Block password attacks. Prevent probing. FREE TRIAL