This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 98%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Hello I have run the Test-Proxy PowerShell script and got back a notice that suspicious activity has been found . i received 3 .CSV files.
What should i be looking at specifically in these files. there are somewhere meaningless
These are the headers in the CSV file
DateTime RequestId ClientIpAddress UrlHost UrlStem RoutingHint UserAgent AnchorMailbox HttpStatus
What am I looking for?
There should be data in those columns. Is there not?
Scan your system:
https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/
Microsoft Support Emergency Response Tool (MSERT) to scan Microsoft Exchange Server
ya there is i didn't post it just for the sake of privacy.
Here is the data from the Anchor Mailbox column
AnchorMailbox
ServerInfo~a]@NVH-Exchange.xxx.local:444/mapi/emsmdb/?#
ServerInfo~a]@CAxxx.xxxxxxx.intra:444/mapi/emsmdb/?#
ServerInfo~EXCHANGE/EWS/Exchange.asmx?a=
ServerInfo~<no value>.82axxxx4a.d.requestbin.net/ecp/default.flt?
ServerInfo~buxxxxx.net/ecp/default.flt?
ServerInfo~buxxxxx.net/ecp/default.flt?
ServerInfo~buxxxxx.net/ecp/default.flt?
ServerInfo~buxxxxx.net/ecp/default.flt?
ServerInfo~buxxxxx.net/ecp/ecp/default.flt?
ServerInfo~buxxxxx.net/ecp/ecp/default.flt?
ServerInfo~somethingnonexistent/ecp/default.flt?
ServerInfo~somethingnonexistent/ecp/default.flt?
ServerInfo~somethingnonexistent/ecp/default.flt?
ServerInfo~somethingnonexistent/ecp/default.flt?
ServerInfo~somethingnonexistent/ecp/default.flt?
ServerInfo~somethingnonexistent/ecp/default.flt?
Yep, yea, so follow that blog and scan for any known exploits from this using the scanner from the link above.
I would read through this latest update as well.
https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
If you find no evidence of actual compromise, then you are probably ok, but look to getting a quality anti-malware solution for Exchange for ongoing protection.
If any of your security detections or the investigation tools results lead you to suspect that your Exchange servers have been compromised and an attacker has actively engaged in your environment, execute your Security Incident Response plans, and consider engaging experienced Incident Response assistance. It is particularly critical if you suspect that your Exchange environment is compromised by a persistent adversary that you coordinate your response using alternative communications channels as mentioned earlier in this document.
For safety reasons, it is recommended that you upgrade your Exchange server to the lasted CU, then install the security patch. After that, open a ticket to Microsoft, they may could help you carry out further investigations remotely.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.