forensics

Decoding OWA Ids in On-Prem Exchange

by

If you’ve analyzed Outlook Web Access (OWA) logs in an on-premises Exchange environment, you’ve likely run into strange Base64-encoded strings embedded in GetFileAttachment HTTP requests. At first glance, decoding one of these strings might yield a GUID-like result—encouraging, but ultimately not actionable on its own. What’s buried deeper, though, is far more useful: a MAPI … Read more

Blue Team Tactics: Honey Tokens Pt. II

by

This is a multipart blog post, read part one and then continue here. We enabled filesystem auditing, created our audit template, and staged our honey tokens for deployment in part one. In part two, we will deploy the honey tokens and identify various methods for monitoring adversary interaction. Deploying honey tokens using PowerShell (PoSh) I … Read more