Publicly posted email addresses keep getting locked by malicious actors
Hi all, I'm wondering if there is a better way to deal with the issue we are facing.
Currently we have around 3500 emails on our exchange which is protected by fortimail and fortiweb-400D. About 50% of our users use the webmail to login to their emails. One of the protections we have in place is locking an account that enters a wrong password more than 7 times. The issue we have is that a lot of our emails are posted publicly and malicious actors are locking 1000's of accounts at a time by trying to access them with wrong passwords. We've managed to identify that the issue is coming externally through the webmail app.
Is there a best practice to deal with this type of issue? We've turned on IP blocking but it doesn't seem to have done much to stem the tide of blocked accounts. We're thinking of turning off account blocking and turning on captcha checks but I'm worried we'll cause more problems than solutions.
The best solution would be to bring in Forti Authenticator with Forti tokens and implement 2FA solution for OWA. Since FAC agent for OWA verifies the OTP first, there is no possibility of brute forcing the PW.
You are in the correct path, as someone suggested use the upstream firewall IPS capabilities to limit the requests and then use FortiWEB REB and captcha enforcement to rate limit the requests, use the IP reputation, make use of custom policies to limit the user agents etc. use Geo Blocking in the upstream firewall & FortiWEB.
If budget permits and technically feasible I would also consider ZTNA. I am not much fluent with FortiMail so I am not sure what can be done there. However for this solution I would stand with implementing 2FA with FAC and token.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.