Password Spraying OWA

Outlook Web Access (OWA)

Attack

OWA is the web-based email client that's setup with Exchange Server or Exchange Online

  • URL Location of OWA:

    • https://<exchangeIP/owa

  • Active Directory GPO settings define lockout rules (default - 0 meaning no lockouts)

  • Attacker will not know the lockout rule without access to GPO, so be careful with password spraying.

Detect

Cloud

Log Sources for Detection:

  • Exchange Mailbox Audit logs (not enable by default).

  • Security.evtx (logon events correlating to OWA)

  • HTTPProxy OWA logs

    • Ensure X-Forward header is enabled to obtain TA IP address.

  • IIS Access logs

    • Ensure X-Forward header is enabled.

Exchange Mailbox Audit logs:

  • Can show all Exchange actions on mailboxes, including sign-ins.

  • Auditing needs to be enabled per user.

#PowerShell enable mailbox audit logs
Get-Mailbox

Set-Mailbox -Identity "USER" -AuditEnabled $true
Get-Mailbox | select UserPrincipalName, auditenabled, AuditDelegate, AuditAdmin

IIS Access Logs

  • C:\Inetpub\logs\logfiles\*

  • Response code will always be 302

  • FBA, true shows successful request.

  • FBA, false shows failed request.

  • Does not show the username unless it was authenticated

HTTPProxy OWA logs

  • C:\Windows\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\OWA

Security.evtx

  • Event IDs

    • 4624 successful logon

    • 4625 failed logon

  • process name w3wp.exe for OWA web service.

Detection Methods

  • High number of authentication events in short time period

  • Alphabetical order

  • Incorrect usernames

  • Spike in account lockouts

  • Look for use of Azure Active Directory PowerShell (not common and sign of malicious activity if the user is not an admin)

On-Prem:

  • Event ID 4740 is generated on domain controllers, Windows servers, and workstations every time an account gets locked out.

  • Event ID 4767 is generated every time an account is unlocked

    • These events will need to be collected from every DC and client.

Monitoring

  • If you have high-value domain or local accounts (for example, domain administrator accounts) for which you need to monitor every lockout, monitor all 4740 events with the “Account That Was Locked Out \Security ID” values that correspond to the accounts.

Mitigate

  • Enable MFA on all accounts.

  • Enable Exchange audit logging on all accounts.

  • Ensure HTTP proxy logs and IIS logs are have x-forwarded-for and are being sent to a SIEM.

  • Lockout policy enabled in GPO.

    • 7-10 is a good failed login before lockout policy.

PreviousPassword Spraying M365NextOAuth 2.0 Abuse

Last updated