Early in the morning, a sudden spike in calls to the helpdesk for password resets and releases swamped IT-support staff at a hospital network. User accounts were under attack and Active Directory lockouts were spreading fast. Together we installed Messageware Exchange Protocol Guard (EPG) to look in detail at Outlook Web and immediately two things happened:
- We found thousands of failed login attempts from numerous geographic locations, and
- We used EPG to isolate the malicious login attempts and quickly halt the attacks, preventing further Active Directory lockouts … or so we thought.
Fast forward three weeks and the attacks appeared to resume, except this time there were two new factors. The attack switched from Outlook Web to Exchange Web Services (the EWS protocol), and it appeared to be internal from a specific IP Address.
By using Messageware EPG to monitor multiple protocols, the attack was quickly stopped. Also, EPG reporting identified that the source of the attack was an infected Macintosh computer in a hospital research lab. It turned out that this machine had actually had a virus previously–this time it was removed from the network for a complete wipe.
It’s now been several months since these incidents and we’re happy to report that Messageware EPG continues to provide protection and the support desk has been able to focus on their more typical user calls.