Disgruntled ex-employee attacks Exchange Server with Outlook Mobile from their BYOD device

Exchange Server: Notes from the Field

Support staff in a large manufacturing company were experiencing a sudden increase in the number of calls dealing with Active Directory user account lockouts and email password resets. The Exchange Server messaging group reached out to us for help. Together we installed Exchange Protocol Guard (EPG) to find out what was going on and to resolve the issue.

EPG reports allowed them to quickly determine that an ex-employee was attempting to login via Outlook Web and Outlook Mobile (ActiveSync) using a combination of active employee usernames and password guessing.

The ex-employee had configured all the key information into their personal cell phone (ActiveSync) and was changing the username to his prior co-workers accounts, and then guessing at the passwords. The team was able to use EPG to see that the ex-employee had not yet gained access to any user accounts and they blocked further attempts that would generate more AD account lockouts and user-level denial of services (DoS).

As an added benefit, EPG also helped them discover and block many mobile phones belonging to past employees. The devices were still making continuous login attempts long after they had disabled the user accounts, and the employees had left— affecting bandwidth, performance, and security.