MDCA Alert - Account enumeration reconnaissance.

Daniel Birrell 46 Reputation points
2022-06-10T07:39:07.367+00:00

We are seeing a constant alert in MDCA for Account enumeration reconnaissance. This alert is against our on prem exchange server. We do not have any mailboxes on the exchange server all of our user mailboxes are held in the cloud. The exchange server seems to be querying the DC's for these users. Continually.

This alert is telling us the following

Enumeration included a total of 48 guess attempts for account names.

  1. The most recent enumeration attempts included a total of 26 non-existing account names.

We thought this was suspicious at first however when we look into this details of the alert the account names are actually old users that used to exist in our AD but now 100% don't. These users have been removed from AD on some occasions years ago.

We have checked on the exchange server and these users do not exist on there at all. We have looked

We have raised this with Microsoft and they have thus far been unhelpful in this case.

Has anyone seen this kind of issue or have any ideas how we can better troubleshoot it?

Windows for business | Windows Server | Devices and deployment | Configure application groups
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Limitless Technology 39,931 Reputation points
    2022-06-13T07:16:29.007+00:00

    Hi Learningmandan,

    Do you have a source IP? If not, check machine timeline to see if you can find it.

    These are almost certainly RDP connection attempts.

    Also, you can look at the target device's list of IP addresses in defender. Look for something that stands out.

    Either this device is on the internet without NAT/firewall blocking RDP, or someone/something is on the inside trying to connect.

    -------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

  2. Rosen Katsarov 81 Reputation points
    2022-06-14T11:09:34.107+00:00

    Hello,

    Looks like you may have Defender for Identity enabled as well,

    You can find details on the alert type and a playbook for dealing with such kind of alerts here:

    https://learn.microsoft.com/en-us/defender-for-identity/reconnaissance-alerts#account-enumeration-reconnaissance-external-id-2003

    Regards,

    Rosen

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.