Sprayable Exchange Authentication Endpoints

Check each endpoint with curl -ksI <endpoint>. If they return an authentication header (NTLM, basic, etc) then they are sprayable.

Sprayable if it returns WWW-Authenticate: Basic|NTLM|Negotiate or shows a password form; if it 30x's to an IdP, spray at the IdP instead.

On-Prem endpoints require UPN (email@domain.com) or DOMAIN\samAccountName format but will not accept email alternatives.

https://<host>/EWS/Exchange.asmx

Exchange Online: Basic disabled; OAuth required. On-prem: typically NTLM/Negotiate; Basic may be enabled depending on config.

Spray with the metasploit owa_ews_login module. https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa_ews_login/

https://<host>/Autodiscover/Autodiscover.xml

Exchange Online: Basic disabled; Modern Auth used. On-prem: typically NTLM/Negotiate; Basic may be enabled depending on config.

https://<host>/owa/

Internet-exposed is common for user access, but only with IdP pre-auth/federation + MFA and without Basic/legacy auth. Sprayable only if it shows a password form or advertises Windows/Basic auth.

https://<host>/ecp/

Should not be internet-exposed; publish internally or via admin-only access. Only sprayable if it shows a password form or advertises Windows/Basic auth.

https://<host>/Microsoft-Server-ActiveSync

Exchange Online: Basic disabled; on-prem may expose Basic/NTLM if not hardened.

Client OWA Login

https://<host>/owa/auth/logon.aspx

Exhange Admin Center

https://<host>/owa/auth/logon.aspx?replaceCurrent=1&url=https://<host>/ecp