This is a great addition to the usual Paul's security weekly episodes. Thanks for sharing this with us, I will definitely be looking into this in the near future!
How can i access others emails inboxes who are on my same domain , any trick to do it ? , our email domain is hosted on premise with a public IP , and it is exchange server 2003 , we access it using domain.com/exchange
Most orgs are following a generic standard referenced as Autodiscover for example a person with an email of flast@test.cc you can theoretically go to autodiscover.test.cc and it will take you to the expected login page. This standard was created to help mail apps find the users login location so naturally we can use it against them :)
Hey Jeff, when a user attempts to authenticate against Exchange/OWA the credentials are actually verified by the DC. So, the best place to alert would likely be failed login attempt security logs generated at the DC. You would likely need a tool or SIEM of some sort to parse through the logs and alert accordingly. I hope that helps!
@@beau_bullock but in DC the failure attempts are not showing under security logs , but when we enabled netlogon logs on DC we are noticing the login attempts are coming from exchange. This is strange bcaz the failure attempts ideally should be captured under security logs instead captures in netlogon logs
This is a great addition to the usual Paul's security weekly episodes. Thanks for sharing this with us, I will definitely be looking into this in the near future!
This is amazing, response times as a potential indicator is genius. Loving these episodes.
Nice overview of MailSniper Beau!
Thank you Beau Bullock , great video post
Where do I find video 1 please. And 2
You can find the full playlist of Tradecraft episodes here: ruclips.net/p/PLlPkFwQHxYE7Yi5jtcSyCCr8pXxP1OEkZ
How can i access others emails inboxes who are on my same domain , any trick to do it ? , our email domain is hosted on premise with a public IP , and it is exchange server 2003 , we access it using domain.com/exchange
can you eloborate on mail server discovery?
Most orgs are following a generic standard referenced as Autodiscover for example a person with an email of flast@test.cc you can theoretically go to autodiscover.test.cc and it will take you to the expected login page. This standard was created to help mail apps find the users login location so naturally we can use it against them :)
I didn't find a way to alert on password spraying?
Hey Jeff, when a user attempts to authenticate against Exchange/OWA the credentials are actually verified by the DC. So, the best place to alert would likely be failed login attempt security logs generated at the DC. You would likely need a tool or SIEM of some sort to parse through the logs and alert accordingly. I hope that helps!
@@beau_bullock but in DC the failure attempts are not showing under security logs , but when we enabled netlogon logs on DC we are noticing the login attempts are coming from exchange. This is strange bcaz the failure attempts ideally should be captured under security logs instead captures in netlogon logs