0

I'm trying to see if I can decipher the messages coming back from Exchange when I try and login via secure IMAP.

My office 365 accounts are under attack and I've disabled IMAP (and legacy login) but I'm still getting errors (bad passwords) in AzureAD telling me people are using IMAP to try and login. I would like to see what error the attacker is getting when they try the secure IMAP whether it is bouncing because of password or some other error. My concern is if it is bouncing with password then some other error when they get it right that could be a big problem.

I've tried to get fiddler working but I can't get it to see the traffic on 993 (I'm trying on a Win 7 test computer). I've tried these directions https://www.comparitech.com/net-admin/decrypt-ssl-with-wireshark/ to get wireshark working. I get a log file but can't decipher the traffic. Is there something I'm missing or this something I just can't do?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Sean
  • 1
  • The traffic is encrypted. You need to decrypt the packet capture that you created with Wireshark. – schroeder Jul 18 '19 at 19:35
  • Thank you @schroeder I'm sorry I don't normally do this, I would normally use fiddler do decrypt traffic but I don't think it supports this protocol. I used the directions at the link above to setup wireshare to decrypt but I couldn't make out the results. Is there something I'm missing? – Sean Jul 18 '19 at 19:59

0 Answers0