This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 90%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDB%3C/text%3E%3C/svg%3E)
We are seeing a constant alert in MDCA for Account enumeration reconnaissance. This alert is against our on prem exchange server. We do not have any mailboxes on the exchange server all of our user mailboxes are held in the cloud. The exchange server seems to be querying the DC's for these users. Continually.
This alert is telling us the following
Enumeration included a total of 48 guess attempts for account names.
We thought this was suspicious at first however when we look into this details of the alert the account names are actually old users that used to exist in our AD but now 100% don't. These users have been removed from AD on some occasions years ago.
We have checked on the exchange server and these users do not exist on there at all. We have looked
We have raised this with Microsoft and they have thus far been unhelpful in this case.
Has anyone seen this kind of issue or have any ideas how we can better troubleshoot it?
Hi Learningmandan,
Do you have a source IP? If not, check machine timeline to see if you can find it.
These are almost certainly RDP connection attempts.
Also, you can look at the target device's list of IP addresses in defender. Look for something that stands out.
Either this device is on the internet without NAT/firewall blocking RDP, or someone/something is on the inside trying to connect.
-------------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept as answer--
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 16%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERK%3C/text%3E%3C/svg%3E)
Hello,
Looks like you may have Defender for Identity enabled as well,
You can find details on the alert type and a playbook for dealing with such kind of alerts here:
Regards,
Rosen