How to detect Basic authentication as fall back auth method - Exchange 2016 on prem + Azure MFA

YaKs

5/10/24, 3:55 PM

we have configured Azure MFA in our Exchange on-prem 2016. Unfortunately, the MFA control can easily bypass by using an old email client (Outlook 2010 for example). This is a known issue and the upgrade is the natural path. until we walk that path, I wondered if it would be a way to detect those basic authentication attempts.

many thanks

1 + 2

exchange-2016

azure-mfa

Kael

5/11/24, 5:33 AM

Can you find the attempts in Azure AD sign-in log?

YaKs

5/11/24, 10:13 AM

the authentiacation happens locally in the server, no web popup appears. I found some logs in the exchange path E:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Mapi. I am trying to index it now in Splunk

Score:0

Server

YaKs

5/15/24, 2:30 PM

I finally used Splunk for it indexing the WinHttp Exchange logs. I had to create the sourcetype for that log files located in [Exchange installation drive]:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Mapi.

index=msexchange sourcetype=MSExchange:2016:WinHttp host=XXXXXXXX AuthMethod=Bearer | stats count(_time) as totalConnections,earliest(_time) as lastcon,values(UserAgent) as UserAgents by UserSID | eval last_connection = strftime(lastcon, "%Y%m%d") | table UserSID,last_connection, UserAgents, totalConnections

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to detect Basic authentication as fall back auth method - Exchange 2016 on prem + Azure MFA

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.