Hi everyone

We were recently hit by a brute force logon attack to Exchange Web Services (EWS). FortiGate (e.g. FortiOS 5.4.9) does not seem to offer any signatures for Exchange EWS. There is only a rate based signature for brute force Outlook Web App (OWA) logon attempts but this does not help in this case.

I wanted to ask if anyone has ever created a custom signature for EWS? Or does anyone know what the default MS.OWA.Brute.Force signature looks like? This could then be modified accordingly.

In the interim I have created the following signature:

F-SBID(--name "MS.EWS.Brute.Force"; --pattern "HTTP/1.1 401 Unauthorized"; --service HTTP; --protocol tcp; --flow from_server,reversed; --rate 4,10,limit; --track dst_ip; --ipver 4; --src_addr 192.168.1.40; --context header;)

Any feedback would be appreciated. Thank you.

Regards

Stefan