I am struggling trying to find the real source of a bunch of authentication attempts (brute force) that I just discovered in our environment.
I did my own test connecting to our public URL https://mail.xxxxxx.yyy/mapi/ using my 4G phone , using wrong credentials.
the event 4776 logged in our DC server is the following
SourceName=Microsoft Windows security auditing.
Message=The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: test4g
Source Workstation: localhost
Error Code: 0xC0000064
I tried to find traces in our Exchange IIS logs and I dont find any entry, I checked and the logging is enabled, format W3C. we have onprem exchange 2016.
maybe I need to enable some settings for deeper logging?
Thanks a lot.