MDCA Alert - Account enumeration reconnaissance.

LabDays 21 Reputation points

We are seeing a constant alert in MDCA for Account enumeration reconnaissance. This alert is against our on prem exchange server. We do not have any mailboxes on the exchange server all of our user mailboxes are held in the cloud. The exchange server seems to be querying the DC's for these users. Continually.

This alert is telling us the following

Enumeration included a total of 48 guess attempts for account names.

  1. The most recent enumeration attempts included a total of 26 non-existing account names.

We thought this was suspicious at first however when we look into this details of the alert the account names are actually old users that used to exist in our AD but now 100% don't. These users have been removed from AD on some occasions years ago.

We have checked on the exchange server and these users do not exist on there at all. We have looked

We have raised this with Microsoft and they have thus far been unhelpful in this case.

Has anyone seen this kind of issue or have any ideas how we can better troubleshoot it?

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,362 questions
No comments
{count} votes

2 answers

Sort by: Oldest
  1. Limitless Technology 37,646 Reputation points

    Hi Learningmandan,

    Do you have a source IP? If not, check machine timeline to see if you can find it.

    These are almost certainly RDP connection attempts.

    Also, you can look at the target device's list of IP addresses in defender. Look for something that stands out.

    Either this device is on the internet without NAT/firewall blocking RDP, or someone/something is on the inside trying to connect.


    --If the reply is helpful, please Upvote and Accept as answer--

  2. Rosen Katsarov 76 Reputation points


    Looks like you may have Defender for Identity enabled as well,

    You can find details on the alert type and a playbook for dealing with such kind of alerts here: