incident response

Decoding OWA Ids in On-Prem Exchange

by

If you’ve analyzed Outlook Web Access (OWA) logs in an on-premises Exchange environment, you’ve likely run into strange Base64-encoded strings embedded in GetFileAttachment HTTP requests. At first glance, decoding one of these strings might yield a GUID-like result—encouraging, but ultimately not actionable on its own. What’s buried deeper, though, is far more useful: a MAPI … Read more

A Tale of an MSBuild In-Line Task

by

I analyzed a suspicious file found during an Incident Response (IR) that turned out to be an in-line MSBuild task. The file had a byte array with an extremely long sequence of bytes. My first thought was that it was a binary of some sort. I extracted the bytes and wrote a few lines of C … Read more