Hi Joe13,
I am actually having a similarly problem and found out it was outside malicious SMTP login attempt (which is handled by FrontEndTransport.exe) and found these info with in "ProtocolLog\SmtpReceive" logs, this thread - https://www.reddit.com/r/exchangeserver/comments/10yzv8q/msexchangefrontendtransportexe_locking_ad_account/ - gave me a great info to find the info.
Quote from article thread:
"
port25
· 26 days ago
"All users lie" -House M.D.
It is probably a receive connector if it's FrontEndTransport
Do you have diagnostic logging turned up on your receive connectors?
IIS Logs should write within 20 minutes or so, but FE is not IIS. If you don't see log activity it's because it's not in use.
Use Get-FrontEndTransportService to find your log location. Should be something like this: C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive
I'm a fucking moron don't listen to me.
"
I kept the whole quote of that answer, but it really assisted me, so I do not believe in step 6
/Steven
