Hi Every one!
I hope you are doing good.
I am having an issue with my on premises Microsoft exchange 2019 server internal Email generating automatically
.i.e. Most of my organization users and some of our external clients users received emails from my internal users (including users which are closed/removed a year ago)that was sent 1-2 Year ago with same genuine message body that was sent earlier originating from so many external unknown live IPs added with some different and weird Links in the start of email like,
Greetings! I send here a recordwith a thorough explanation of the recent problem. Please check it here:
1)hitjamloaded.com.ng/totamdolor/omnisunde-854740
2)woo.mainsaildata.com/istenon/exercitationemdelectus-854740
furthermore my mail Server eg webmail.abc.com having Internal IP 10.2.100.22 and also have external live ip but i am using my Spam filter as outbound relay, as per my understanding as these email are having multiple different Live IPs from different locations, but sent by my own exchange users, it seems to me some kind of internal spoofing, my question is, Is it really internal spoofing or some kind of external malware attack or in any case some of my current user PC has been compromised by malware and originating automatically internal emails at all over exchange users???? and how to get rid of this weird thing.
Also Most of users are observing some wierd mail with txt attachment in drafts
As a precautionary measure I have taken following step
- Created SPF records in my local Domain
- Installed Exchange Antispam Agent
- Restarted Exchange Transport Services
- Set Internal SMTP Servers Local IP for Exchange
- Set -SenderIdConfig-SpoofedDomainAction Reject
- Created new receive connector with remote Ip range of my intranet Users and IP range of my Exchange server and spam filter.
Can you please help me out to get rid of this in future and what could be the root cause of this.
Thanks & regards,
Farrukh Ali