Exchange 2019 Drafts

Cesar 41 Reputation points
2021-09-14T20:20:02.267+00:00

Hello Everyone,

Last week some of my users noticed a draft email they did not create. The email contained an attachment and their email address was in the 'TO' field. I ran the latest MSERT on the server and it found the following threat:

Backdoor:MSIL/Chopper.F!dha

I rebooted the server and re-run MSERT which did not find any threats.

Today, the same issue occurred. I ran MSERT and it found:

Backdoor:MSIL/Chopper.F!dha
Backdoor:ASP/WebShell.C!MTB

I rebooted the server and re-run MSERT and it did not find any threats.

Back in March our server was compromised due to the Proxy logon vulnerability. We cleaned it out and installed the patch. I have not have any issues since then until next week.

How can I prevent this hacker from gaining access to our server?

Exchange 2019
Server 2019
Thank you

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,489 questions
0 comments No comments
{count} votes

Accepted answer
  1. Yuki Sun-MSFT 41,011 Reputation points
    2021-09-15T04:00:08.09+00:00

    Hi @Cesar ,

    From your description, seems like what you are encountering is related to the proxyshell vulnerability as mentioned in the blog below:
    ProxyShell vulnerabilities and your Exchange Server

    According to the blog, if you have installed the May 2021 security updates or the July 2021 security updates on your Exchange servers, then you are protected from these vulnerabilities. So for your situation, it's suggested to install the latest CU and SU on all your Exchange servers to protect your Exchange environment against these threats.

    Furthermore, here's a thread which discuss a similar issue for your reference:
    Unexpected Spam email in Outlook Draft folder


    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 additional answers

Sort by: Most helpful