We are also facing the same sort of issue. Have exchange server 2016 and someone is sending to our clients from our company email address with suspicious links.
Not sure where to start the investigation?
Any suggestions
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Good day!
Have Exchange 2016 CU 20 on Windows Server 2016
Yesterday our partners received a spam email (with suspicious links) from our address.
On command Get-MessageTrackingLog -Sender "our address" -Start (Get-Date) .AddDays (-2) | Format-Table ... you can see that the letter was sent from us from this address.
Also, in the logs of the mail gateway, you can see that the letter was sent from our server.
The partners sent this message, it is also clear in the headings that the message has send us.
But in the mailbox itself, neither sent nor deleted this letter.
The user who uses this mailbox also claims that he did not send anything.
The situation is clearly similar to an unauthorized submission. What is a hack? Where to dig further?
If the server is compromised, is it better to reinstall it? (there are few mailboxes and the base is very small)
Performed a full scan for native Windows Defender and MSERT (Microsoft Safety Scanner). Purely.
This server is both a mailbox server and a CAS server.
Clients access it from the outside through the IIS ARR reverse proxy server.
I'm wondering if IIS ARR access really provides better security than just publishing port 443 directly to the Exchange server through the Cisco ASA?
We are also facing the same sort of issue. Have exchange server 2016 and someone is sending to our clients from our company email address with suspicious links.
Not sure where to start the investigation?
Any suggestions
Had exactly the same issue, yesterday. Would appreciate any guidance on investigation.
Our company has met this situation too. We found that a proxyshell was used to exploit exchange server vulnerability, but what is the process of that mass spamming from our server to our employees? What are the first evidences which can help us to start a forensic process?