This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 70%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
when running the hafnium powershell script on our exchange 2013 server, the only thing returned was two entries in autodiscover.
each ended with: the email address cannot be found.
2021-03-03T11:32:23.754Z,ab20f7df-07ff-4abf-bc47-ce9e31fea8bd,15,0,1395,0,,Negotiate,true,NT AUTHORITY\SYSTEM,,ExchangeServicesClient/0.0.0.0,86.105.18.116,JFIEX2013P,MYEXCHANGE.MYDOMAIN.COM,POX,200,500,0,0,1,,,,,GlobalThrottlingPolicy_f9fb2403-54c7-412d-b51b-7f13cdaa45cb,,,1,3,0,3,2,,10,ADSessionSettingsFromAddress=0;ADRecipientSessionFindBySid=0;Caller=null;ResolveMethod=Unknown;RequestedRecipient=null;RequestedUser=administrator@Mydomain.com;S:ServiceCommonMetadata.RequestSize=347;S:WLM.Bal=300000;S:WLM.BT=Ews;S:BudgetMetadata.MaxConn=27;S:BudgetMetadata.MaxBurst=300000;S:BudgetMetadata.BeginBalance=300000;S:BudgetMetadata.Cutoff=3000000;S:BudgetMetadata.RechargeRate=900000;S:BudgetMetadata.IsServiceAct=False;S:BudgetMetadata.LiveTime=00:00:00;S:BudgetMetadata.EndBalance=300000;Dbl:WLM.TS=10;I32:ADS.C[ad-2]=2;F:ADS.AL[ad-2]=2.5936;I32:ATE.C[dc1.mydomain.com]=1;F:ATE.AL[dc1.mydomain.com]=0;I32:ADS.C[dc1]=1;F:ADS.AL[dc1]=2.3683,,message=The email address can't be found.;
is this false positve, indication of scan or what? all other tests showed no issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 72%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOJ%3C/text%3E%3C/svg%3E)
Hello,
ive got similar results, three entries in "autodiscover" with the ip-adress "86.105.18.116", our domain-admin-user and the ending "the email adress could not be found".
No suspicious files in the mentioned folders, the Test-ProxyLogon Script shows the exact three results as the first script, our antivirus detects nothing.
So is this a "try to come in but no success"-situation?
The security patch was installed last thursday our our 2013 cu23 exchange, we are now deliberating if there are other measures we should take or if we were lucky that nothing really bad happened.
Thanks for answer in advance!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Hi @gman
Any update here?
Hi @gman
Please also check if you see any other suspicious activity like ECP/OWA/OAB or evidence of the other CVE's being hit then collect the following data from the impacted server(s):
C:\inetpub\wwwroot\aspnet_client\ *.aspx
C:\inetpub\wwwroot\aspnet_client\system_web\
%ExchangeInstallPath%\FrontEnd\HttpProxy\OWA\Auth\
The log output from the Test-ProxyLogon Script
Detailed information refer to this Scan Exchange log files for indicators of compromise
Make sure you have upgraded your Exchange server to the latest CU version and have installed the security patch, this method is the only complete mitigation and has no impact to functionality.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
I would scan for any vulnerabilities:
https://github.com/microsoft/CSS-Exchange/blob/main/Security/Defender-MSERT-Guidance.md
Hi,
scanned the whole server, no potential threat detected.
Any other advice or or measures you would recommend?
Thanks in advance.
Hi,
It should be ok if you have patched the security update