MDCA Alert - Account enumeration reconnaissance.

Question

We are seeing a constant alert in MDCA for Account enumeration reconnaissance. This alert is against our on prem exchange server. We do not have any mailboxes on the exchange server all of our user mailboxes are held in the cloud. The exchange server seems to be querying the DC's for these users. Continually.

This alert is telling us the following

Enumeration included a total of 48 guess attempts for account names.

2. The most recent enumeration attempts included a total of 26 non-existing account names.

We thought this was suspicious at first however when we look into this details of the alert the account names are actually old users that used to exist in our AD but now 100% don't. These users have been removed from AD on some occasions years ago.

We have checked on the exchange server and these users do not exist on there at all. We have looked

We have raised this with Microsoft and they have thus far been unhelpful in this case.

Has anyone seen this kind of issue or have any ideas how we can better troubleshoot it?

Answer 1

Hi Learningmandan,

Do you have a source IP? If not, check machine timeline to see if you can find it.

These are almost certainly RDP connection attempts.

Also, you can look at the target device's list of IP addresses in defender. Look for something that stands out.

Either this device is on the internet without NAT/firewall blocking RDP, or someone/something is on the inside trying to connect.

-------------------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept as answer--

Answer 2

Hello,

Looks like you may have Defender for Identity enabled as well,

You can find details on the alert type and a playbook for dealing with such kind of alerts here:

https://learn.microsoft.com/en-us/defender-for-identity/reconnaissance-alerts#account-enumeration-reconnaissance-external-id-2003

Regards,

Rosen