search

Password Spraying OWA

Outlook Web Access (OWA)

hashtag
Attack

OWA is the web-based email client that's setup with Exchange Server or Exchange Online

  • URL Location of OWA:

    • https://<exchangeIP/owa

  • Active Directory GPO settings define lockout rules (default - 0 meaning no lockouts)

  • Attacker will not know the lockout rule without access to GPO, so be careful with password spraying.

Domain Controller GPO Editor

hashtag
Detect

hashtag
Cloud

hashtag
Log Sources for Detection:

  • Exchange Mailbox Audit logs (not enable by default).

  • Security.evtx (logon events correlating to OWA)

  • HTTPProxy OWA logs

    • Ensure X-Forward header is enabled to obtain TA IP address.

  • IIS Access logs

    • Ensure X-Forward header is enabled.

hashtag
Exchange Mailbox Audit logs:

  • Can show all Exchange actions on mailboxes, including sign-ins.

  • Auditing needs to be enabled per user.

LogoManage mailbox auditingMicrosoftLearnchevron-right
Enabing via PowerShell
Export Mailbox Audit logs in Admin Center

hashtag
IIS Access Logs

  • C:\Inetpub\logs\logfiles\*

  • Response code will always be 302

  • FBA, true shows successful request.

  • FBA, false shows failed request.

  • Does not show the username unless it was authenticated

hashtag
HTTPProxy OWA logs

  • C:\Windows\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\OWA

hashtag
Security.evtx

  • Event IDs

    • 4624 successful logon

    • 4625 failed logon

  • process name w3wp.exe for OWA web service.

4624 Successful
4725 Failed

hashtag
Detection Methods

  • High number of authentication events in short time period

  • Alphabetical order

  • Incorrect usernames

  • Spike in account lockouts

  • Look for use of Azure Active Directory PowerShell (not common and sign of malicious activity if the user is not an admin)

hashtag
On-Prem:

  • Event ID 4740 is generated on domain controllers, Windows servers, and workstations every time an account gets locked out.

  • Event ID 4767 is generated every time an account is unlocked

    • These events will need to be collected from every DC and client.

Logo4740(S) A user account was locked out. - Windows 10MicrosoftLearnchevron-right
LogoWindows event ID 4740 - A user account was locked out | ADAudit Plus.ManageEnginechevron-right
LogoAccount Lockout Event ID: Find the Source of Account LockoutsActive Directory Prochevron-right

hashtag
Monitoring

  • If you have high-value domain or local accounts (for example, domain administrator accounts) for which you need to monitor every lockout, monitor all 4740arrow-up-right events with the “Account That Was Locked Out \Security ID” values that correspond to the accounts.

hashtag
Mitigate

  • Enable MFA on all accounts.

  • Enable Exchange audit logging on all accounts.

  • Ensure HTTP proxy logs and IIS logs are have x-forwarded-for and are being sent to a SIEM.

  • Lockout policy enabled in GPO.

    • 7-10 is a good failed login before lockout policy.

PreviousPassword Spraying M365NextOAuth 2.0 Abuse

Last updated