How can I proactively detect compromised Exchange 2010 accounts?
We have had issues with compromised Exchange accounts sending out malicious e-mails via SMTP and OWA.
It seems that many of these accounts were compromised via incoming phishing attempts. We are currently deploying something to tighten our protection against those.
We now want to look into more proactive ways of detecting compromised accounts. Some non-hashed-out thoughts that came up:
- monitoring outgoing mail queue for suspicious activity
- checking for logins from foreign IP addresses in the IIS logs
- rate limiting logons (automatic lock of account?)
- rate limiting e-mail (automatic lock of account?)
If anyone has implemented something like this, any tips or products you used? How else have you tried to proactively detect compromised Exchange (or AD) accounts?
This is usually something better solved using a centralized logging solution. That way you can farm out the detection and intelligence without impacting mailing services. How exactly they're implemented will vary significantly with your logging solution, but any modern log collector should allow for alerting. The most successful methods I've seen implemented are:
- Logins from X countries within Y hours. The values you use for X and Y may vary, but some common sense will prevail. For instance, 2 countries within 4 hours is likely to be pretty safe for an organization in the central US, but may be more noisy for a company near a border in Europe.
- Logins from X IP addresses within Y minutes. Most people these days will have 2-4 devices with email configured; desktop, laptop, phone, tablet. Some more, some less. Both values will depend heavily on your user base. A good starting point may be 3 devices and 10 minutes.
- Logins for X users from 1 IP address. Using a 1-to-1 is usually pretty good here. Keep in mind this will fire if you have shared mailboxes that are configured as separate accounts and they are configured as separate users. If you have a VPN or proxy you'll also see this one flag often. So be prepared to whitelist systems.
Keep in mind that the best way to prevent malicious parties from accessing compromised accounts is to not allow access to your mail system in the first place. If you can restrict access to OWA or EWS to your organization, using a VPN for outside workers, then you're in a much better position from the outset.