T1190 Exploit Public Facing Application
T1059.001 PowerShell
T1046 Network Service Discovery
An external source IP 58.237.200.6 attempted to access Exchange Server 2 at 172.16.20.8 using crafted autodiscover requests associated with CVE-2022-41082 exploitation. AbuseIPDB shows the IP has been reported over 600 times for abusive scanning and brute force activity.
The attacker sent multiple HTTP GET requests to the autodiscover endpoint containing PowerShell indicators within the URL parameters. The requests attempted to access Exchange backend services including ews and owa paths. The presence of PowerShell in the request string is consistent with ProxyNotShell exploitation attempts targeting CVE-2022-41082. All requests were blocked by IIS.
Sep 30 2022 07:19 AM
Hostname Exchange Server 2
Destination IP 172.16.20.8
Log Source IIS
Source IP 58.237.200.6
Request URL /autodiscover/autodiscover.json with embedded PowerShell indicators
CVE-2022-41082 is a zero day vulnerability affecting Microsoft Exchange that can allow attackers to access backend PowerShell functionality through specially crafted autodiscover requests. The malicious URL structure and scanning behavior indicate reconnaissance or exploitation attempts. The user agent zgrab is commonly associated with internet wide scanning activity.
Evidence
Request URL contained PowerShell string
Autodiscover endpoint targeted
Multiple HTTP GET requests observed
User Agent Mozilla zgrab
IP flagged 600 times in AbuseIPDB
All requests blocked by IIS
The alert was confirmed as a True Positive. The exploitation attempt was blocked at the web server layer. No successful exploitation or backend PowerShell execution occurred. No further escalation required. Source IP was documented and monitoring continued.