What defenses can organizations implement to detect or prevent hidden folder abuse in Exchange?

Organizations should monitor for unusual EWS activity, such as bulk folder creation or extended property changes, and enable mailbox auditing to track folder modifications. Regularly scanning mailboxes for folders with `PidTagAttributeHidden` set to `true` can also help. Additionally, restricting EWS access to only trusted applications and users reduces the attack surface, complementing techniques like those described in Penetration Techniques - Accessing Internal File Shares via Exchange ActiveSync.