0

we have configured Azure MFA in our Exchange on-prem 2016. Unfortunately, the MFA control can easily bypass by using an old email client (Outlook 2010 for example). This is a known issue and the upgrade is the natural path. until we walk that path, I wondered if it would be a way to detect those basic authentication attempts.

many thanks

YaKs
  • 31
  • 3
  • Can you find the attempts in Azure AD sign-in log? – Kael May 11 '23 at 05:33
  • the authentiacation happens locally in the server, no web popup appears. I found some logs in the exchange path E:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Mapi. I am trying to index it now in Splunk – YaKs May 11 '23 at 10:13

1 Answers1

0

I finally used Splunk for it indexing the WinHttp Exchange logs. I had to create the sourcetype for that log files located in [Exchange installation drive]:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Mapi.

index=msexchange sourcetype=MSExchange:2016:WinHttp host=XXXXXXXX AuthMethod=Bearer | stats count(_time) as totalConnections,earliest(_time) as lastcon,values(UserAgent) as UserAgents by UserSID | eval last_connection = strftime(lastcon, "%Y%m%d") | table UserSID,last_connection, UserAgents, totalConnections

YaKs
  • 31
  • 3