Have Exchange 2016 CU 20 on Windows Server 2016
Yesterday our partners received a spam email (with suspicious links) from our address.
On command Get-MessageTrackingLog -Sender "our address" -Start (Get-Date) .AddDays (-2) | Format-Table ... you can see that the letter was sent from us from this address.
Also, in the logs of the mail gateway, you can see that the letter was sent from our server.
The partners sent this message, it is also clear in the headings that the message has send us.
But in the mailbox itself, neither sent nor deleted this letter.
The user who uses this mailbox also claims that he did not send anything.
The situation is clearly similar to an unauthorized submission. What is a hack? Where to dig further?
If the server is compromised, is it better to reinstall it? (there are few mailboxes and the base is very small)
Performed a full scan for native Windows Defender and MSERT (Microsoft Safety Scanner). Purely.
This server is both a mailbox server and a CAS server.
Clients access it from the outside through the IIS ARR reverse proxy server.
I'm wondering if IIS ARR access really provides better security than just publishing port 443 directly to the Exchange server through the Cisco ASA?