You can find the full playlist of Tradecraft episodes here: kzbin.info/aero/PLlPkFwQHxYE7Yi5jtcSyCCr8pXxP1OEkZ

Most orgs are following a generic standard referenced as Autodiscover for example a person with an email of flast@test.cc you can theoretically go to autodiscover.test.cc and it will take you to the expected login page. This standard was created to help mail apps find the users login location so naturally we can use it against them :)

Hey Jeff, when a user attempts to authenticate against Exchange/OWA the credentials are actually verified by the DC. So, the best place to alert would likely be failed login attempt security logs generated at the DC. You would likely need a tool or SIEM of some sort to parse through the logs and alert accordingly. I hope that helps!

@@beau_bullock but in DC the failure attempts are not showing under security logs , but when we enabled netlogon logs on DC we are noticing the login attempts are coming from exchange. This is strange bcaz the failure attempts ideally should be captured under security logs instead captures in netlogon logs