🚨 CYBER INTELLIGENCE ALERT: 🇰🇭 [UNCONFIRMED] EXFILTRATION OF INSTITUTIONAL EMAIL CONFIGURATION — CAMBODIA MINISTRY OF TRADE [STATUS: UNCONFIRMED / DATA EXFILTRATION / GOVERNMENT SECTOR / EXCHANGE ENVIRONMENT] A post has been detected on underground forums by the threat actor spark, claiming to have extracted and leaked a complete batch of records belonging to the Ministry of Trade of the Kingdom of Cambodia (moc.gov.kh). The dump contains an estimated 2,100 records (2.1K leaked) with internal configurations and metadata from the institution's corporate email server. Threat Actor: spark Affected Entity: Cambodia Ministry of Trade (moc.gov.kh) Size of the Breach: 2,100 configuration rows/records. Distribution Format: CSV file exposed for direct download. Technology Exposed: Microsoft Exchange Mail Servers (Versions 15.0.0.0 / Exchange Server 2013 or later). 📂 Analysis of the Exposed Schema and Data (PII and Network Metadata) The raw data sample provided by the attacker confirms that the file corresponds to a direct administrative dump extracted from the Active Directory and Microsoft Exchange management roles. The diagram explicitly outlines the ministry's hierarchical and operational structure: High-Privilege and Infrastructure Accounts: The list reveals global administration and integrated services addresses. Email Addresses and Real Names (PII): Full identities and email addresses assigned to officials, diplomats, and advisors. Organizational Structure Mapping (Organizational Units): Each record details the employee's exact position within the Kingdom of Cambodia's state organizational chart, divided into: General Directorates: General Director of Domestic Trade, General Director of Trade Services. Planning Departments: Department of Planning, Statistics, and Trade Information; Department of Legal Affairs. Provincial Delegations: Battambong Province, Tbong Khmum Province, Kandal Province, Kep Province. Advisory and Attaché Offices: Advisor, Commercial Attaché. ⚠️ Risk and Tactical Impact Considerations Targeted Brute-Force Attacks: Knowledge of specific databases and ActiveSync policies enables threat actors to conduct targeted password-spraying attacks against the Ministry's public Outlook Web App (OWA) portals, attempting to access government mailboxes using weak or default passwords. 🛡️ Recommended Actions (Defensive Level) Microsoft Exchange Log Auditing: It is recommended to proactively alert system administrators for the moc.gov.kh portal to review mailbox export logs (`New-MailboxExportRequest`) or organizational discovery PowerShell commands (`Get-Mailbox`) to identify which legitimate account or administrator was compromised to extract such a list. VECERT TOOLS Strategic Monitoring Tools & Intelligence Platform: 🌐 analyzer.vecert.io Security Verification & Monitoring: 🛡️ monitor.vecert.io #CyberSecurity 🔐 #ThreatIntelligence 📊 #Cambodia 🇰🇭 #GovTech #DataBreach 📁 #MicrosoftExchange #ActiveDirectory #PII #MOC #VECERT 🏢

I haven't used since ActiveSync disabled. Curious what those workarounds might be? Closest I could think is having say Spark notifications on just Apple Watch so at least know when to manually check Mail. Is there a better one such as a third party method to cause mail to

企業のモバイル端末管理に使われるゲートウェイ「Ivanti-Sentry」に、認証なしでroot権限のコード実行を許す深刻度CVSS10の脆弱性（CVE-2026-10520）が見つかり、修正パッチの公開直後に攻撃を再現する技術解説まで公表されています。Sentryはモバイル端末とExchangeなど社内システムの間に立つ中継機器で、奪われると内部システムへの侵入経路になりえます。同時に、認証を回避して任意の管理者アカウントを作成できる別の脆弱性（CVE-2026-10523、CVSS9.9）も修正されました。アドバイザリ公開の時点で実際の悪用は確認されていないとされるものの、攻撃の障壁は一気に下がっています。 一方、脆弱なコマンド実行機能そのものは温存し、その手前に認証を足して塞いだという修正のあり方には、報告側も疑問を呈しています。Ivanti製品は近年悪用が相次いでおり、認証不要でroot権限のコード実行を許すCVSS10の脆弱性に、攻撃の再現手順まで公開直後にそろった今回も、その流れの延長線上にある一件です。 【要点の整理】 ・対象は旧MobileIron Sentry。モバイル端末とExchangeなどの社内システムの間に立ち、ActiveSyncメールやアプリ通信を仲介して登録済み端末だけを社内資源に通す中継機器。ネットワークの境界に置かれるため、奪取が内部侵入の足がかりになりうる構図 ・CVE-2026-10520はOSコマンドインジェクション。未認証で送れる特定のリクエストのパラメータが設定コマンドとして解釈され、内部処理を経て最終的にOSコマンドが実行される。遠隔・認証不要でroot権限の任意コード実行に至るためCVSS 10（満点） ・解析を公開したwatchTowr Labsは、脆弱版と修正版の差分が単一ファイル内の1つの処理に限られていた点を手がかりに該当箇所を特定し、当日のうちに再現に成功したとのこと。CVE-2026-10520自体の発見者は同社ではなく別の報告者とされる ・もう一方のCVE-2026-10523は認証バイパス（CWE-288）。認証を回避して任意の管理者アカウントを作成し、完全な管理者権限を奪えるとされ、CVSS 9.9 ・注目はパッチの中身。脆弱なコマンド実行機能そのものは残したまま、利用者が操作できた入力をハードコードに置き換え、Apache側の設定で当該機能への未認証アクセスを遮断。watchTowrはこれを「要は認証を後付けしただけ」と評している ・修正版は10.5.2/10.6.2/10.7.1。脆弱性の有無を判定する検査ツールもwatchTowrがGitHubで公開している 詳細は以下を参照： labs.watchtowr.com/more-evid… hub.ivanti.com/s/article/Sec…

Even I know what Briefcase was supposed to do... Synchronize over ActiveSync to Windows CE devices (until they reused ActiveSync branding for completely different tech).

Masscan guy gets a pass Even though it still can't scan MAS (Microsoft ActiveSync)

Microsoft to Retire Exchange ActiveSync Certificate-Based Authentication dlvr.it/TSVcHn

Retirement of Direct Exchange ActiveSync Certificate-Based Authentication by End of 2026 | Microsoft Community Hub techcommunity.microsoft.com/…

Estoy completamente de acuerdo, además, muchos de estos negocios, piensan que es únicamente instalar el cPanel en un servidor y se olvidan. Para ofrecer servicios como el de correo, necesitar mucho más que eso, y por Dios, al menos un ActiveSync.

Entra Hardening Tip #4 - Block legacy authentication Problem: Legacy auth (SMTP/IMAP/ROPC) doesn’t support MFA, making it a prime target for password attacks and an easy entry point for attackers using stolen creds. Legacy authentication also provides attackers with a consistent method to reenter a system using compromised credentials without triggering security alerts or requiring reauthentication. @ellishlomo shared some insights on how attackers are still targeting tenants that allow legacy protocols (see below). Fix: - Assignments - All users - Target resources > All resources - Conditions - Client apps, set Configure to Yes. - Check only the boxes Exchange ActiveSync clients and Other clients. - Access controls - Block access

Piloted this wider than I should have. Exchange ActiveSync clients started failing silently. Entra logs showed token protection unsupported, users just stopped syncing with no error surfaced. Scope to compliant, modern auth clients first. The gap is real, so is the blast radius.

Exchange’te Kritik Açık: Mobil Senkronizasyondan Veri Sızdıran Yeni Risk! Microsoft Exchange tarafında özellikle on-prem çalışan kurumları yakından ilgilendiren yeni bir güvenlik açığı gündemde. CVE-2025-58107 olarak tanımlanan bu zafiyet, Microsoft Exchange Server üzerinde mobil cihazlarla yapılan senkronizasyon süreçlerinde ciddi veri sızıntısı riskleri oluşturuyor. Benim dikkatimi çeken nokta şu: olay klasik bir “patch gelir kapatırız” seviyesinden biraz daha farklı. Çünkü açık doğrudan Exchange ActiveSync davranışı ve bazı cihaz implementasyonları ile ilgili. Teknik analizlere göre özellikle bazı Samsung cihazlar ile yapılan ActiveSync bağlantılarında kritik veriler her zaman beklediğimiz şekilde korunmuyor. Ağ üzerinden geçen bazı bilgiler: *Kullanıcı adı *E-posta adresi *Cihaz kimliği *Authentication token’ları *Base64 formatında şifreler bazı senaryolarda cleartext (şifrelenmemiş) olarak taşınabiliyor. Bu da şu anlama geliyor: ağ trafiğini dinleyebilen biri için ciddi bir “low effort / high impact” saldırı yüzeyi oluşuyor. Çözüm Nedir? *ActiveSync için TLS 1.2 zorunlu hale getirilmeli *HTTP tamamen kapatılmalı (SSL enforcement şart) *Eski TLS ve legacy protokoller devre dışı bırakılmalı *Mümkünse Modern Authentication (OAuth) kullanılmalı *Exchange sunucular güncel tutulmalı *Network tarafında segmentasyon monitoring yapılmalı

Legacy Auth Every credential stuffing attack your SOC investigates this year will almost certainly have one thing in common: legacy authentication was enabled. SMTP, IMAP, POP, old ActiveSync — none of them support MFA. Attackers know this. They don't bother trying to bypass MFA. They find the one legacy auth endpoint you left open for "that scanner" and walk straight in. The fix is a conditional access policy that blocks legacy auth. The hard part is finding out what breaks — it's always a shared mailbox, a multifunction printer, or an executive's old phone. The Entra ID Security course covers the full lifecycle: discovery query, report-only policy, stakeholder negotiation, enforcement, and the OAuth alternatives for every legacy use case. 19 modules, first 2 free. Course Access: training.ridgelinecyber.com/…

私はiPhone 3G日本上陸前からスマホ使ってましたが、「PCとのデータ連携がやりやすいから」というのが理由のひとつでした Windows MobileスマホはPCとUSB接続してActiveSyncで連絡先やファイル同期できて便利でした

🛡️ Se reporta la caída de Exchange Online Microsoft reportó una falla en Exchange Online. Por lo que muchos no han podido entrar a buzones y calendarios. También hubo problemas en Outlook on the web, que es la versión de Outlook en navegador. Y en Exchange ActiveSync, que es el mecanismo que sincroniza correo y calendario en celulares y tablets. Microsoft dijo que una parte de su infraestructura no estaba procesando el tráfico de forma eficiente. Además investigó una falla separada en Copilot web, la versión en navegador del asistente de IA de Microsoft. Esto es un recordatorio del riesgo de cuando concentramos la operación en un proveedor. 💡 Mientras regresa el servicio, esto nos deja un par de lecciones: 1. Tener un plan de continuidad para cuando falle un servicio crítico en la empresa. 2. Separar procesos críticos del correo. Cobranza, pagos y autorizaciones deben tener respaldo operativo, no depender de una sola bandeja.

Microsoftは、Exchange Onlineメールボックスへのアクセスに関して、一部ユーザーで接続問題が発生していた可能性を調査中（インシデントID: EX1253275）。 現在のテレメトリでは問題は再現しておらず、影響は解消された可能性が高いが、完全復旧を確認するため監視を継続しています。 対象は以下のような 複数の接続方法です。 Outlook（デスクトップ） Outlook on the Web モバイルメールクライアント Exchange ActiveSync / MAPI API接続など

son 6 saattir kişi neden ActiveSync yapamıyor diye Exchange ve AD'nin içinden geçtim. Neticede buldum ve tabiki sizin yapacağınız işi skeyim cümlesi ile nihayetlendirdim.

Older Versions of Exchange ActiveSync Clients Get the Bullet office365itpros.com/2025/12/… #Microsoft365 #MVPBuzz

🔔 𝗜𝗺𝗽𝗼𝗿𝘁𝗮𝗻𝘁 𝗨𝗽𝗱𝗮𝘁𝗲 𝗳𝗼𝗿 𝗘𝘅𝗰𝗵𝗮𝗻𝗴𝗲 𝗢𝗻𝗹𝗶𝗻𝗲 𝗔𝗰𝘁𝗶𝘃𝗲𝗦𝘆𝗻𝗰 𝗨𝘀𝗲𝗿𝘀 Starting March 1, 2026, Exchange Online will no longer support devices using 𝗔𝗰𝘁𝗶𝘃𝗲𝗦𝘆𝗻𝗰 𝘃𝗲𝗿𝘀𝗶𝗼𝗻𝘀 𝗯𝗲𝗹𝗼𝘄 16.1. This change enhances security and reliability across mobile email access. techcommunity.microsoft.com/… 📱 𝗜𝗺𝗽𝗮𝗰𝘁: - Native mail apps (iOS Mail, Gmail, Samsung Mail) using outdated EAS versions will be affected. - Outlook Mobile users remain unaffected. ✅ 𝗔𝗰𝘁𝗶𝗼𝗻: M365 admins can leverage my custom KQL query to quickly identify devices running outdated ActiveSync versions. This makes it easier to assess impact and guide users toward compliant apps before the March 2026 deadline.🫡 #ExchangeOnline #CloudSecurity #M365

Run this before 3/1/26 to identify which users won't be able to connect to Exchange Online after Microsoft Blocks ActiveSync versions less than version 16.1 Get-MobileDevice | Where-Object {($_.ClientType -eq 'EAS' -or $_.ClientType -match 'ActiveSync') -and $_.ClientVersion -and ([version]$_.ClientVersion -lt [version]'16.1')} | Sort-Object UserDisplayName | Select-Object UserDisplayName, UserPrincipalName, DeviceId, DeviceModel