Fraudulent IP connections to my exchange server? False positive or?

kingslavcho

New Member
Hello dear friends.

I wanted to ask you about some logs that from my exchange server which i catch with qradar. They are all with qid: 5000830 or eventid:4624 which is a successful login to a server or anything.

I use a rule which tells me if someone logs in to the exchange server from an external IP out of my country.
The problem is that i get logs with qid: 5000830 or eventid:4624 and a big part of the IPs when i check them the ISP is Microsoft Corporation, services: Datacenter. I have doubts about this IPs and i think that are fraudulent. I check then on ipqualityscore also and there the fraud score is 65. What do you think about this? I also read that the Microsoft corporation has partnered up with some company to provide some internet services but i am not so sure about this.. If the IPs are fraudulent i am quite sure that i have to disable some accounts and change passwords also..

In the attachment are the results from both of the web services i use to check the IPs that connect to my exchange server..

Can you please tell me if these results are false positive and the behavior of the exchange server is normal or the connections are from a fraudulent IPs which i have to block on my firewall and also disable users and change their password..

Thank you!
 

Attachments

  • ipqualityscore.png
    ipqualityscore.png
    34.2 KB · Views: 15
  • whatismyipaddress.png
    whatismyipaddress.png
    110.1 KB · Views: 15

Neemobeer

Cloud Security Engineer
Staff member
We can't tell you what expected network traffic is for you or your org. That would be something for you to determine.
I can offer up that cloud infrastructure is global and anyone could be using those resources for legitimate, morally grey and malicious activity. Based on my past experience you're likely experiencing people, companies or both scanning the internet including IP space you occupy. If it's not impacting your systems and you have not detected any active attacks I would not be too concerned. If you know for certain they should not be connecting and you have a firewall that can block by country you can setup a rule to block the activity.
 

kingslavcho

New Member
I am not sure if you understood my question well.. This IP address is being used to log in to the exchange server we use.. This is one of the many.. I suspect this is an attack because the IP is fraudulent according to the web services i used to check it.. And not all the domain users are used to connect to our exchange server.. 20% of the users are just being used.. I am thinking now what to do and i think i will get one of those users and add 2FA and see if this kind connections disappear from that particular user..
 
Top