Notes from the IR front lines — if you have on-prem Exchange, assume compromise. Also start a plan to migrate to Microsoft 365… yesterday.

Apr 20, 2022 · 12:20 AM UTC

22
72
8
435
Replying to @hal_pomeranz
Is this necessary if exchange is not accessible to the internet? No EWS or OWA? MDM for access to mobile email? Proof point or something like it as your email edge to the internet?
1
1
Certainly eliminates Exchange as the initial breach, but it will be a juicy target after they get in with stolen VPN credentials
1
2
more replies
Replying to @hal_pomeranz
This is so polarizing. What’s the reasoning? We are half in/half out already and stuck on moving forward with 365 or going back to on-prem
4
2
Recent experience is teaching me that it’s impossible to securely run Exchange on prem. It’s been the initial point of entry for numerous compromises.
2
31
more replies
Replying to @hal_pomeranz
Getting past the FUD, what do you suggest orgs do? Are there any common IOCs people should look for?
1
1
The most common indicator we’re seeing is w3wp.exe spawning csc.exe. Look for webshells under …\Exchange Server\*\FrontEnd\HttpProxy\{owa,ecp}\*
1
8
1
52
more replies
Replying to @hal_pomeranz
I use AOL, so I’m good.
1
1
1
15
Replying to @hal_pomeranz
Is there a new exploit targeting exchange or is it more of the proxy shell stuff and orgs just haven’t patched yet?
2
Replying to @hal_pomeranz
If I were migrating nowadays, it wouldn't be to 365. It would be to Google. I'm convinced that 365 is just a hair above Exchange.
3
Replying to @hal_pomeranz @LargeCardinal
We migrated 10 years ago to GMail. Best decision (no O365 that time)
3
Load more