7,925 questions
We were hit by ProxyShell.
We have since patched and used mitigation tools.
Exchange and Interesting Draft Emails
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 83%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
TempDRK
1
Reputation point
We are having something interesting happen with our Outlooks.
A string of draft emails will pop up in all users draft boxes. They all have the title "Microsoft Outlook Test message XXXXXXX" The Xs are a random numbers.
Our exchange server is patched up to CU22, and we have AV running, and we are behind a firewall.
I reached out to a cyber contractor we have and they suspected compromise and we went through the list of remediation for malicious activity - checking for webshells, hidden accounts, mailboxes, checking logs for scripts, running the EOMT.ps1 and doing a full scan with our AV. Nothing found, they kept our ticket open and told me to keep an eye on it.
A week later we all have a few more in our draft folders. Thought I would look out a little further for assistance.
Exchange | Exchange Server | Management
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Joyce Shen - MSFT 16,701 Reputation points2022-09-27T02:45:53.287+00:00 Hi @TempDRK
Are you using Exchange server 2016 CU22 and did you install the security update as well?
When does this issue happen? Did you installed any programs or apps may generate these files and use your server send emails? You could also check if any actions performed on users' mailboxes by using Exchange mailbox audit log.
In addition, you could check the application log in event viewer to see if any error recorded.
Please also try changing the password and reconfiguring the outlook profile for your users.
-
Joyce Shen - MSFT 16,701 Reputation points
2022-09-30T06:08:01.277+00:00 Hi @TempDRK
Is there any update about this issue so far?
Sign in to comment
2 answers
Sort by: Most helpful
-
-
Joyce Shen - MSFT 16,701 Reputation points
2022-10-03T07:58:22.607+00:00 Hi @TempDRK
Thanks for sharing more information about this issue.
You may also take a reference at the recent blogs about
Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082
Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange ServerInstalling the latest SU and mitigation tools are the suggested way by Microsoft.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
