question

FarrukhAliQureshi-1514 avatar image
0 Votes"
FarrukhAliQureshi-1514 asked joyceshen-MSFT commented

MicroSoft Exchange 2019 (15.2 Build 33.5) - Issues With Internal Emails annonymosly originating with Old Email content

Hi Every one!

I hope you are doing good.

I am having an issue with my on premises Microsoft exchange 2019 server internal Email generating automatically

.i.e. Most of my organization users and some of our external clients users received emails from my internal users (including users which are closed/removed a year ago)that was sent 1-2 Year ago with same genuine message body that was sent earlier originating from so many external unknown live IPs added with some different and weird Links in the start of email like,

Greetings! I send here a recordwith a thorough explanation of the recent problem. Please check it here:
1)hitjamloaded.com.ng/totamdolor/omnisunde-854740
2)woo.mainsaildata.com/istenon/exercitationemdelectus-854740

furthermore my mail Server eg webmail.abc.com having Internal IP 10.2.100.22 and also have external live ip but i am using my Spam filter as outbound relay, as per my understanding as these email are having multiple different Live IPs from different locations, but sent by my own exchange users, it seems to me some kind of internal spoofing, my question is, Is it really internal spoofing or some kind of external malware attack or in any case some of my current user PC has been compromised by malware and originating automatically internal emails at all over exchange users???? and how to get rid of this weird thing.

Also Most of users are observing some wierd mail with txt attachment in drafts

As a precautionary measure I have taken following step

  1. Created SPF records in my local Domain

  2. Installed Exchange Antispam Agent

  3. Restarted Exchange Transport Services

  4. Set Internal SMTP Servers Local IP for Exchange

  5. Set -SenderIdConfig-SpoofedDomainAction Reject

  6. Created new receive connector with remote Ip range of my intranet Users and IP range of my Exchange server and spam filter.

Can you please help me out to get rid of this in future and what could be the root cause of this.

Thanks & regards,

Farrukh Ali





office-exchange-server-administrationoffice-exchange-server-mailflowoffice-exchange-server-connectivityoffice-exchange-server-itpro
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @FarrukhAliQureshi-1514,

Is there any progress about your issue so far?

1 Vote 1 ·
AndyDavid avatar image
0 Votes"
AndyDavid answered joyceshen-MSFT commented

Are you really running Exchange Server 2019 CU1??

Can you confirm the CU?

I suspect your server is compromised if so.

Upgrade to CU11 plus the latest security update

https://support.microsoft.com/en-gb/topic/cumulative-update-11-for-exchange-server-2019-kb5005334-93fc6a41-faa4-424e-9dcb-27081360872b
Security Update:

https://www.microsoft.com/en-us/download/details.aspx?id=103545

Follow this guidance :

https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AndyDavid

Thank you for your helpful clarification.

Yes unfortunately My current CU is CU1 and is not yet updated.

So as per your instruction i am going to upgrade CU1 to CU11.

Can you please confirm, Is there any additional prerequisites for this upgradation or I should go with normal procedure for upgradation? As i have read in some forum that CU11 is not usual cumulative update as it introduces new security capability, new prerequisites and changes in command line deployment.

So it will be really helpful if you share any step by step guide to upgrade CU1 to CU11?

Thank You

0 Votes 0 ·
joyceshen-MSFT avatar image joyceshen-MSFT FarrukhAliQureshi-1514 ·

Hi @FarrukhAliQureshi-1514,

Download CU here: Cumulative Update 11 for Exchange Server 2019 (KB5005334)
Download SU here: Security Update For Exchange Server 2019 CU11 (KB5007012)

CU upgrade step by step guide: Upgrade Exchange to the latest Cumulative Update

Description of the security update for Microsoft Exchange Server 2019 and 2016: October 12, 2021 (KB5007012)
To install SU:

  1. Select Start, and type cmd.

  2. In the results, right-click Command Prompt, and then select Run as administrator.

  3. If the User Account Control dialog box appears, verify that the default action is the action that you want, and then select Continue.

  4. Type the full path of the .msp file, and then press Enter.


1 Vote 1 ·
AndyDavid avatar image
0 Votes"
AndyDavid answered AndyDavid edited

Follow these steps, rebooting after EACH step and running from an ELEVATED PROMPT.

https://docs.microsoft.com/en-us/exchange/plan-and-deploy/prepare-ad-and-domains?view=exchserver-2019

Install .net 4.8
https://docs.microsoft.com/en-us/exchange/plan-and-deploy/supportability-matrix?view=exchserver-2019#microsoft-net-framework

Run each step separately running from an ELEVATED PROMPT.
Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareSchema
Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareAD
Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareAllDomains


BEFORE INSTALLING CU11: Verify that you have a valid Oauth Cert with the Health Checker:
https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/

Renew the OAuth cert if necessary:
https://docs.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oauth-expired?preserve-view=true#resolution

Then install CU11 running from an ELEVATED PROMPT.:
CU11:
https://support.microsoft.com/en-gb/topic/cumulative-update-11-for-exchange-server-2019-kb5005334-93fc6a41-faa4-424e-9dcb-27081360872b

Then install the latest security patch running from an ELEVATED PROMPT:

Critical Patch:
https://www.microsoft.com/en-us/download/details.aspx?id=103545

Verify with the Health Checker:
https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-health-checker-has-a-new-home/ba-p/2306671


Troubleshooting:
https://docs.microsoft.com/en-us/exchange/troubleshoot/client-connectivity/exchange-security-update-issues


Once you are patched, you need to investigate to see if your server has been compromised and scan you server for known exploits:

https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/

Microsoft Support Emergency Response Tool (MSERT) to scan Microsoft Exchange Server

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/

If you find no evidence of actual compromise, then you are probably ok, but look to getting a quality anti-malware solution for Exchange for ongoing protection.

If any of your security detections or the investigation tools results lead you to suspect that your Exchange servers have been compromised and an attacker has actively engaged in your environment, execute your Security Incident Response plans, and consider engaging experienced Incident Response assistance. It is particularly critical if you suspect that your Exchange environment is compromised by a persistent adversary that you coordinate your response using alternative communications channels as mentioned earlier in this document.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.