In this article, we’ll explore high volume logon attacks (HVAs) against on-premise Microsoft Exchange servers including the ongoing detrimental effects on the organization being attacked.
Active Directory (AD) environments are particularly susceptible because a single compromised account can trigger widespread network infiltration. As a result, password attacks can lead to severe consequences, including data breaches, network compromise, and major operational disruptions.
Understanding Exchange Server Password Attacks and HVA’s
Exchange server password attacks are a form of automated cyber intrusion in which attackers systematically attempt to gain unauthorized access to corporate messaging systems and/or overwhelm the organization by causing denial of service. They use large volumes of automated external authentication traffic to Active Directory via Exchange on-premises servers to accomplish one or both objectives.
These attacks are known by various names such as brute force, password guessing, password spray, dictionary, denial of service and other variations.
Password attacks can test thousands of username and password combinations in seconds, often gathering usernames from various sources or learning a company’s username format like firstname.lastname@company.com.
Exchange server specific HVA’s can take different forms including:
- Scripted attacks against logon forms like Outlook Web and Exchange Control Panel.
- Programmatic attacks against Exchange Server API’s like EWS, REST, and other protocols
- Attacks against protected exchange virtual directories like Autodiscover, OAB, OWA, and other virtual directories.
- Various combinations of above.
The Impact of High Volume Attacks on Your Organization
Depending on the strength (or lack thereof) of an organization’s account lockout security policies, any of the following unwanted results can occur following high volume password attacks:
- Large scale AD account lockouts and denial of service
- IT support teams overwhelmed with constant password resets
- Dissatisfaction from employees and business units and IT teams unable to focus on more strategic business priorities
- Consistent and repeated lockouts of specific user and service accounts
- Compromise of account passwords
- Network capacity issues due to authentication traffic volumes
- Potential impacts on security standards compliance and organizational reputation risks
Why Traditional Defenses Fail: Observations on Attack Trends
- Timing: Password attacks on Exchange servers are rarely one time or single method events. These attacks may start and stop at any time, increase or decrease in severity, change methods, change sources and change specific threats to user accounts or entire organizations.
- Targets of attacks have evolved away from being focused only on large, strategic organizations to routinely attacking organizations of all sizes and types, often with automated targeting.
- Attacks affect not only user/employee accounts, but also Service or Administrative accounts which often have high-level permissions and are used to run applications, processes, or services within the network. The compromise of a service account can have widespread implications, as attackers can leverage the account’s permissions to access or disrupt critical services and processes.
- Deploying 2FA/MFA for Exchange server still leaves organizations open to password guessing on programmatic protocols, leading to account lock-outs
- Attackers may change their approach to “low volume attacks”, testing passwords below lockout thresholds to avoid detection
Messageware Solutions: Defense Against High Volume Password Attacks
Messageware Exchange Protocol Guard (EPG) offers comprehensive, multi-function authentication security features for on-premises Exchange SE and 2019 servers.
EPG was designed to provide the following benefits and advantages to messaging and security teams:
- Easy access and clear visibility and reporting for all Exchange Server authentication traffic
- Automatic security enforcement without manual intervention from IT teams
- Automatic protection against employee account lockouts and business disruption
- Full confidence in Exchange security measures to provide access and services to all types of external users
- No dependence on cloud services or cloud data storage – all application and data are locally stored
- For hybrid installations, an effective option to fully protect remaining on-premises servers
We recently analyzed live traffic from Exchange Servers where security protocols successfully blocked numerous password guessing attacks. These attacks target all Exchange environments and frequently result in account lockouts that go undetected by traditional security teams. The table below captures a snapshot of this week’s attack data:
| IP | User | Protocol | Status | Country | City | ISP/Domain |
|---|---|---|---|---|---|---|
| 207.xxx.xxx.67 | EX-XXXX-01\joxx.smXX | OWA | Successful Logon | United States | New York | Verizon |
| 2.xxx.xxx.43 | EX-XXXX-01\joxx.smXX | OWA | Current Tarpit | Iran | Tehran | Iran Telecommunication Company PJS |
| 2.xxx.xxx.43 | EX-XXXX-02\joxx.smXX | OWA | Password Failure | Iran | Tehran | Iran Telecommunication Company PJS |
| 2.xxx.xxx.43 | EX-XXXX-02\joxx.smXX | OWA | Password Failure | Iran | Tehran | Iran Telecommunication Company PJS |
| 91.xxx.xxx.170 | EX-XXXX-01\joxx.smXX | OWA | Current Tarpit | Russia | Moscow | EuroByte |
| 91.xxx.xxx.170 | EX-XXXX-01\joxx.smXX | OWA | Password Failure | Russia | Moscow | EuroByte |
| 91.xxx.xxx.170 | EX-XXXX-01\joxx.smXX | OWA | Password Failure | Russia | Moscow | EuroByte |
| 129.xxx.xxx.69 | EX-XXXX-02\syxxxxxn1 | Autodiscover | Current Tarpit | Australia | Sydney | University of Sydney |
| 129.xxx.xxx.69 | EX-XXXX-02\syxxxxxn1 | Autodiscover | Password Failure | Australia | Sydney | University of Sydney |
| 129.xxx.xxx.69 | EX-XXXX-02\syxxxxxn1 | Autodiscover | Password Failure | Australia | Sydney | University of Sydney |
| 23.xxx.xxx.2 | EX-XXXX-02\syxxxxxn1 | Autodiscover | Current Tarpit | Iran | Tehran | Iran Telecommunication Company PJS |
| 23.xxx.xxx.2 | EX-XXXX-02\syxxxxxn1 | Autodiscover | Password Failure | Russia | Moscow | EuroByte |
| 23.xxx.xxx.2 | EX-XXXX-02\syxxxxxn1 | Autodiscover | Password Failure | Iran | Tehran | Iran Telecommunication Company PJS |
| 23.xxx.xxx.2 | EX-XXXX-01\joxx.smXX | EWS | Current Tarpit | Russia | Moscow | EuroByte |
| 23.xxx.xxx.2 | EX-XXXX-01\joxx.smXX | EWS | Password Failure | Iran | Tehran | Iran Telecommunication Company PJS |
| 23.xxx.xxx.2 | EX-XXXX-01\joxx.smXX | EWS | Password Failure | Russia | Moscow | EuroByte |
| 138.xxx.xxx.64 | EX-XXXX-02\syxxxxxn1 | EWS | Current Tarpit | United States | San Francisco | University of San Francisco |
| 138.xxx.xxx.64 | EX-XXXX-02\syxxxxxn1 | EWS | Password Failure | United States | San Francisco | University of San Francisco |
| 138.xxx.xxx.64 | EX-XXXX-02\syxxxxxn1 | EWS | Password Failure | United States | San Francisco | University of San Francisco |
This is a small sample of password attack activity on selected user accounts. The complete data report includes a wide variety of user and service accounts being attacked from different source protocols, IP address’ and countries on various devices and with various automated user agents.
Enhancing Security with Intelligent, Exchange-Aware Protection
In the example report above, the presence of Messageware security resulted in,
- No user or service Active Directory account lockouts occurring, even after multiple password failures from attackers that would have otherwise locked out the account
- Password attacks being automatically detected and isolated
- Certain IP address’ being automatically placed on a blocked list
- Alerts and reports to the security team being generated automatically
- Authentication traffic and security enforcement information being easily visible to the IT team
Messageware Exchange Protocol Guard (EPG) is designed to address these challenges by adding layers of intelligent, Exchange-aware protection. EPG automatically detects and stops both high-volume password-guessing attacks and long-term reconnaissance activity. And, it integrates directly with enhanced dynamic threat feeds, providing highly accurate, real-time intelligence on systems known to generate malicious traffic—and blocking those connections before they ever reach your server.
Secure your Exchange Server. Stop AD lockouts. Block password attacks. Prevent probing. FREE TRIAL