Suspicion of hacking server Exchange 2016. What to do?

Павел Павел 141 Reputation points

Good day!

Have Exchange 2016 CU 20 on Windows Server 2016
Yesterday our partners received a spam email (with suspicious links) from our address.

On command Get-MessageTrackingLog -Sender "our address" -Start (Get-Date) .AddDays (-2) | Format-Table ... you can see that the letter was sent from us from this address.

Also, in the logs of the mail gateway, you can see that the letter was sent from our server.

The partners sent this message, it is also clear in the headings that the message has send us.

But in the mailbox itself, neither sent nor deleted this letter.
The user who uses this mailbox also claims that he did not send anything.

The situation is clearly similar to an unauthorized submission. What is a hack? Where to dig further?

If the server is compromised, is it better to reinstall it? (there are few mailboxes and the base is very small)

Performed a full scan for native Windows Defender and MSERT (Microsoft Safety Scanner). Purely.

This server is both a mailbox server and a CAS server.

Clients access it from the outside through the IIS ARR reverse proxy server.

I'm wondering if IIS ARR access really provides better security than just publishing port 443 directly to the Exchange server through the Cisco ASA?

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
6,095 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Gurmeet Panwar 6 Reputation points

    Hi @Yuki Sun-MSFT

    We are also facing the same sort of issue. Have exchange server 2016 and someone is sending to our clients from our company email address with suspicious links.

    Not sure where to start the investigation?

    Any suggestions

    No comments

  2. The_Alster 6 Reputation points

    Had exactly the same issue, yesterday. Would appreciate any guidance on investigation.

    No comments

  3. Никита Панов 1 Reputation point

    Our company has met this situation too. We found that a proxyshell was used to exploit exchange server vulnerability, but what is the process of that mass spamming from our server to our employees? What are the first evidences which can help us to start a forensic process?

    No comments