This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 23%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Good day!
Have Exchange 2016 CU 20 on Windows Server 2016
Yesterday our partners received a spam email (with suspicious links) from our address.
On command Get-MessageTrackingLog -Sender "our address" -Start (Get-Date) .AddDays (-2) | Format-Table ... you can see that the letter was sent from us from this address.
Also, in the logs of the mail gateway, you can see that the letter was sent from our server.
The partners sent this message, it is also clear in the headings that the message has send us.
But in the mailbox itself, neither sent nor deleted this letter.
The user who uses this mailbox also claims that he did not send anything.
The situation is clearly similar to an unauthorized submission. What is a hack? Where to dig further?
If the server is compromised, is it better to reinstall it? (there are few mailboxes and the base is very small)
Performed a full scan for native Windows Defender and MSERT (Microsoft Safety Scanner). Purely.
This server is both a mailbox server and a CAS server.
Clients access it from the outside through the IIS ARR reverse proxy server.
I'm wondering if IIS ARR access really provides better security than just publishing port 443 directly to the Exchange server through the Cisco ASA?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYS%3C/text%3E%3C/svg%3E)
Hi @Pavel ,
On command Get-MessageTrackingLog -Sender "our address" -Start (Get-Date) .AddDays (-2) | Format-Table ... you can see that the letter was sent from us from this address.
Assuming you have idetified the subject of the spam email, would you run the following command and see if any more findings can be found?
Get-MessageTrackingLog -Sender <SenderAddress> -Start (Get-Date).AddDays(-2) -MessageSubject <MailSubject> | sort-object Timestamp | Format-Table Timestamp,EventId,Source,Sender,Recipients,OriginalClientIp
You can remove all private information like email addresses and IP addresses then share the output here.
By the way, have you modified the default receive connectors or created any custom receive connectors for anonymous relay in your environment? By default, only the "Default Frontend ServerName" receive connector has the"Anonymous users" group. you can run the command below to view the settings of all receive connectors on your side, confirm if there are any other connectos have "Anonymous users" that might be used by spammers. If there are, remove "Anonymous users" for the other receive connectors and monitor for some time to see if the issue persists:
Get-ReceiveConnector | Format-List name,Enabled,Bindings,RemoteIPRanges,PermissionGroups
Please do remember to cover all personal data like domain name, ip addresses, etc for privacy concern.
Hi @Pavel ,
Just checking in to see how you are doing with this issue. If you need further assistance on this, please feel free to post back.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 88%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Our company has met this situation too. We found that a proxyshell was used to exploit exchange server vulnerability, but what is the process of that mass spamming from our server to our employees? What are the first evidences which can help us to start a forensic process?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 3%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
We are also facing the same sort of issue. Have exchange server 2016 and someone is sending to our clients from our company email address with suspicious links.
Not sure where to start the investigation?
Any suggestions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 9%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Had exactly the same issue, yesterday. Would appreciate any guidance on investigation.
Our company has met this situation too. We found that a proxyshell was used to exploit exchange server vulnerability, but what is the process of that mass spamming from our server to our employees? What are the first evidences which can help us to start a forensic process?