[nsp-sec] Pwned IMAP accounts searches.
Scott A. McIntyre
scott at howyagoin.net
Wed Jul 28 20:00:41 EDT 2021
G'day RuthAnne,
On 29 July 2021, at 0231, RuthAnne Bevier wrote:
> On Mon, Jul 26, 2021 at 10:56:33AM +1000, Scott A. McIntyre wrote:
>> Sure, please do - I'm sure they can make good use of it!
>>
>
> Well, I feel quite stupid asking this, but: how are you seeing these search terms? We're running O365 and our logs don't appear to be granular enough to provide this information. Ultimately we'll be disabling IMAP access entirely, which will solve this particular problem.
It's a great question, actually!
This issue has nothing to do with Microsoft products, we don't use that for our customers.
The product we use for our consumers has highly detailed logs available for certain types of events, and after a spate of TLP:RED level account compromises, we turned on some additional logging to better understand the actions of the account interlopers.
Not all IMAP servers can log search requests, and I am afraid I have no idea if Microsoft's products can provide that level of detail (based upon the logs I've accessed for our corporate O365 environment, nope, won't be there).
Regards,
Scott
More information about the nsp-security
mailing list