Microsoft Exchange is a common attack surface, providing multiple entry points from the public/Internet facing to the enterprise network. Recently, Exchange hit the news due to the Hacker group known as #Hafnium doubled its hack count of Microsoft’s Exchange Servers up to nearly 60,000 globally.

There has been some previous reports of known attacks by Exchange. FireEye Red Team in 2019 conducted a red team pentest where you can see that initial compromise happens on OWA (Outlook Web App). This was cloned by red team on a look-alike domain, technically it’s a phishing attack but the compromise goes OWA.

Attackers persistence and domain escalation can happen as Microsoft Exchange binds to Active Directory. Attackers can harvest same credentials.

Exchange Log Collection

In addition to the Microsoft security update which included mitigation strategies here are also other items that one can look into securing Exchange:

  • Find indication of redirection (ie from fake OWA to real OWA)

  • Find signs of privesc (“being an Administrator on an Exchange server is enough to escalate to Domain Admin” from Duo)

  • Pentesting Microsoft Exchange

  • Writeup to harden Exchange

Of course the mitigation notes and security release updates are most important. They also mention going through IIS logs for ‘files identified as malicious have been accessed.’

Example Filebeat (general Exchange):

type: log

#confirm the path to the Microsoft Exchange Transport Logs. See the Open Office document to find where
 - /path/to/logs
 #- F:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking\*.LOG

 - decode_csv_fields:
        message: csv
     separator: ,
     ignore_missing: false
     overwrite_keys: true
     trim_leading_whitespace: false
     fail_on_error: true

Example Winlogbeat File (general Exchange):


name: Application
ignore_older: 72h
name: Security
name: System
name: MSExchange Management
name: MSExchange ADAccess
name: MSExchange Message
name: MSExchange Antispam
#OWA is client only - not relevant to server
#name: MSExchange OWA