This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 91%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Hello Everyone,
Last week some of my users noticed a draft email they did not create. The email contained an attachment and their email address was in the 'TO' field. I ran the latest MSERT on the server and it found the following threat:
Backdoor:MSIL/Chopper.F!dha
I rebooted the server and re-run MSERT which did not find any threats.
Today, the same issue occurred. I ran MSERT and it found:
Backdoor:MSIL/Chopper.F!dha
Backdoor:ASP/WebShell.C!MTB
I rebooted the server and re-run MSERT and it did not find any threats.
Back in March our server was compromised due to the Proxy logon vulnerability. We cleaned it out and installed the patch. I have not have any issues since then until next week.
How can I prevent this hacker from gaining access to our server?
Exchange 2019
Server 2019
Thank you
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYS%3C/text%3E%3C/svg%3E)
Hi @Cesar ,
From your description, seems like what you are encountering is related to the proxyshell vulnerability as mentioned in the blog below:
ProxyShell vulnerabilities and your Exchange Server
According to the blog, if you have installed the May 2021 security updates or the July 2021 security updates on your Exchange servers, then you are protected from these vulnerabilities. So for your situation, it's suggested to install the latest CU and SU on all your Exchange servers to protect your Exchange environment against these threats.
Furthermore, here's a thread which discuss a similar issue for your reference:
Unexpected Spam email in Outlook Draft folder
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi Yukisum
Thanks for the response.
I further looked into this issue... the Exchange CU that we are currently running is 4.
Will I be able to upgrade the CU4 to CU9 or 10 to obtain the latest patch?
I was under the assumption, MS updates would also update the exchange software... I was wrong.
Please advise
Thank you
Hi @Cesar ,
Will I be able to upgrade the CU4 to CU9 or 10 to obtain the latest patch?
Each CU is a full installation of Exchange that includes updates and changes from all previous CUs, so you can directly upgrade to CU9 or CU10 without needing to install any previous CUs. Then you can use MS update or manually apply the security patches as mentioned in the blogs shared earlier.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @Cesar ,
Just circling back to see how things are going on with this thread. If you still have further concern on this, please feel free to post back.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @Yuki Sun-MSFT ,
I installed CU10 and the July security update.
It seems like we are okay for now.
I will continue to monitor the server.
Thank you so much!