01 // Where Is This Coming From?
🎯 Your Server — Columbia County, Georgia, USA
This is Columbia County Board of Education's Exchange email server. It is publicly accessible on the internet so that staff can access their email from home or mobile devices. That same accessibility is what the attacker is exploiting.
Public IP: 168.11.164.235
Location: Evans, GA, USA
Service: Microsoft Exchange 2019
💀 Attacker Infrastructure — Netherlands / EU
The attacker is operating from a rented block of 42+ anonymous IP addresses in the 80.66.66.x range, likely hosted in the Netherlands. These are commercial "bulletproof" VPS servers designed to be hard to trace or shut down.
Type: Anonymous VPS / Proxy Farm
Location: Netherlands (EU)
Purpose: Hide attacker identity
02 // What Is MailSniper?
MailSniper is a hacking tool — a piece of software that anyone can download for free from the internet. It was originally created by security researchers to help companies test their own defenses, but criminals use it to break into real organizations.
It is specifically designed to attack Microsoft Exchange email servers, which is exactly what CCBOE runs. It works by trying to guess employee passwords automatically — thousands of times per day — until it finds one that works.
Imagine someone standing outside your school building with a master key ring containing 10,000 keys. Every minute, day and night, they try another key in the front door lock. They never get tired, never give up, and keep coming back. That is exactly what MailSniper is doing to CCBOE's email system — trying a different password combination every 60–90 seconds, around the clock.
03 // How the Attack Works — Step by Step
This is exactly what happens each of the 106,000+ times the attacker contacts your server. The entire cycle takes about 1–2 seconds and repeats automatically.
Before the attack begins, the attacker gathers a list of CCBOE email addresses. Exchange servers have a feature called the Global Address List (GAL) — essentially a public phone book of every employee's email address. MailSniper can silently download this entire list.
This is why the Security Event Log contained hundreds of real staff email addresses including names like donna.morris, natasha.hartley, william.mobley, and many others — the attacker likely already has your full staff directory.
Instead of attacking directly from their real computer, the attacker routes their traffic through 42 rented anonymous servers in the Netherlands. This hides their true location and makes it much harder for IT teams to block them — every time one IP gets blocked, another one takes over.
Each IP sends approximately 1,200 attempts before the next IP picks up the job, staying just below the threshold that would trigger automatic blocking.
Every request the attacker sends includes a fake "identity tag" claiming to be Firefox 135.0 running on Windows 10. This is called a User-Agent string — every web browser and email program tells the server who it is when it connects.
Real Outlook email clients identify themselves as Microsoft Office/16.0. A web browser like Firefox has absolutely no business talking to an Exchange mail endpoint — this spoofing is an immediate red flag that the traffic is automated and malicious.
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:135.0) Gecko/20100101 Firefox/135.0
This is the core of the attack. MailSniper sends a login request to your Exchange server's web services endpoint (/ews/exchange.asmx) with a real staff email address and a guessed password.
Rather than trying many passwords against one account (which would trigger a lockout), the attacker uses a technique called "password spraying" — trying one common password against hundreds of different accounts. This stays below lockout limits while still testing huge numbers of combinations.
Common passwords tried include things like: Summer2026!, CCBOE2026, Password1!, Welcome123
Your Exchange server rejects the login attempt and returns HTTP 401 — Unauthorized. This means the guessed password was wrong. This has happened 104,875 times.
The attacker's script receives the rejection, logs it, waits ~60–90 seconds, then automatically tries the next email address and password combination. This cycle repeats indefinitely — 24 hours a day, 7 days a week, for 30 days straight.
If MailSniper successfully guesses a password, the consequences are severe. With valid Exchange credentials, the attacker can:
04 // Attack Escalation Over Time
The attacker is not giving up — they are increasing pressure. Daily request volume has grown 10x over 30 days.
05 // Three Distinct Threats Found
SPRAY
Password Spray Attack from 80.66.66.0/24
The primary and most serious threat. 42 rotating IPs systematically attempting to log into every staff email account using common passwords. Running 24/7 since March 24 and accelerating. This is targeted and intentional — the attacker specifically chose CCBOE's Exchange server.
SCANNER
Command Injection Probes from 100.27.42.0/24 (AWS)
A separate actor running automated vulnerability scans, attempting to exploit a known web server flaw through the OWA interface. The probe attempts to run system commands (Servername=127.0.0.1;id;) on the server. The exploit did not succeed, but the probing recurs monthly.
SCANNERS
General Internet Reconnaissance
Multiple automated internet scanning services (Shodan, Palo Alto Cortex Xpanse, and others) have found and catalogued your Exchange server's OWA login page. These are not directly malicious but confirm that your server is publicly visible and indexed — meaning any attacker searching for vulnerable Exchange servers can find yours.
06 // How We Know This Is an Attack
| Indicator | What the Attacker Does | What a Real Employee Does | Verdict |
|---|---|---|---|
| User-Agent | Firefox/135.0 | Microsoft Office/16.0 | Attack |
| Login Result | 401 × 104,875 consecutive failures | 401 once, then 200 (success) | Attack |
| IP Origin | Netherlands anonymous VPS | CCBOE network or employee's home ISP (Georgia) | Attack |
| IP Count | 42 different IPs rotating | 1–2 IPs (home + work) | Attack |
| Time of Day | 24/7, including 2–4 AM | Business hours + occasional evening | Attack |
| Request Interval | Perfectly metered every 60–90 seconds | Variable, based on when user checks email | Attack |
| Auth Type | Basic Auth (sends password in plain Base64) | Kerberos / Modern Auth (secure token) | Attack |
| Connection Type | Connection: close (disconnect after each try) | Persistent connection (stays open for hours) | Attack |
| Duration | 30+ days, continuous, still active | Normal business usage pattern | Attack |
07 // IPs to Block Immediately
🔴 Primary Attacker — Block Entire Subnet: 80.66.66.0/24
Block the full /24 range, not just individual IPs. The attacker controls the entire block and will shift to unused addresses if only specific IPs are blocked.
🟠 Secondary — Block Subnet: 100.27.42.0/24 (SNMP Injection Scanners)
08 // Recommended Actions
-
01 →
Block 80.66.66.0/24 at the perimeter firewall immediately This stops the current attacker infrastructure from reaching the server. Do this today. It does not fix the underlying vulnerability but stops the bleeding.
-
02 →
Disable Basic Authentication on Exchange EWS and OWA Basic Auth is what MailSniper relies on. Disabling it closes the door the attacker is knocking on. Modern Outlook clients do not need Basic Auth — they use secure modern authentication instead.
-
03 →
Enable Multi-Factor Authentication (MFA) for all staff email accounts MFA means that even if the attacker guesses a correct password, they still cannot log in without the second factor (like a phone notification). This is the single most effective defense against password spray attacks.
-
04 →
Manually inspect W3SVC2 IIS logs on the Exchange server The IIS logs for the RPC endpoint (199MB, too large to process here) must be searched for any HTTP 200 responses from 80.66.66.x IPs. This would confirm whether any login attempt actually succeeded.
-
05 →
Verify with IT leadership that no penetration test is authorized Before treating this as a confirmed hostile attack for escalation/reporting purposes, confirm in writing that no security testing firm has been contracted to test Exchange. If no signed authorization exists, this is a real attack.
-
06 →
Notify your cyber insurance carrier and consider engaging an IR firm 30 days of sustained targeting by a persistent threat actor against a school district's email server warrants professional incident response support. Many cyber insurance policies cover IR firm costs.