MicroSoft Exchange 2019 (15.2 Build 33.5) - Issues With Internal Emails annonymosly originating with Old Email content

Question

Hi Every one!

I hope you are doing good.

I am having an issue with my on premises Microsoft exchange 2019 server internal Email generating automatically

.i.e. Most of my organization users and some of our external clients users received emails from my internal users (including users which are closed/removed a year ago)that was sent 1-2 Year ago with same genuine message body that was sent earlier originating from so many external unknown live IPs added with some different and weird Links in the start of email like,

Greetings! I send here a recordwith a thorough explanation of the recent problem. Please check it here:
1)hitjamloaded.com.ng/totamdolor/omnisunde-854740
2)woo.mainsaildata.com/istenon/exercitationemdelectus-854740

furthermore my mail Server eg webmail.abc.com having Internal IP 10.2.100.22 and also have external live ip but i am using my Spam filter as outbound relay, as per my understanding as these email are having multiple different Live IPs from different locations, but sent by my own exchange users, it seems to me some kind of internal spoofing, my question is, Is it really internal spoofing or some kind of external malware attack or in any case some of my current user PC has been compromised by malware and originating automatically internal emails at all over exchange users???? and how to get rid of this weird thing.

Also Most of users are observing some wierd mail with txt attachment in drafts

As a precautionary measure I have taken following step

1. Created SPF records in my local Domain
2. Installed Exchange Antispam Agent
3. Restarted Exchange Transport Services
4. Set Internal SMTP Servers Local IP for Exchange
5. Set -SenderIdConfig-SpoofedDomainAction Reject
6. Created new receive connector with remote Ip range of my intranet Users and IP range of my Exchange server and spam filter.

Can you please help me out to get rid of this in future and what could be the root cause of this.

Thanks & regards,

Farrukh Ali

Answer 1

Are you really running Exchange Server 2019 CU1??

Can you confirm the CU?

I suspect your server is compromised if so.

Upgrade to CU11 plus the latest security update

https://support.microsoft.com/en-gb/topic/cumulative-update-11-for-exchange-server-2019-kb5005334-93fc6a41-faa4-424e-9dcb-27081360872b
Security Update:

https://www.microsoft.com/en-us/download/details.aspx?id=103545

Follow this guidance :

https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/

Answer 2

Follow these steps, rebooting after EACH step and running from an ELEVATED PROMPT.

https://learn.microsoft.com/en-us/exchange/plan-and-deploy/prepare-ad-and-domains?view=exchserver-2019

Install .net 4.8
https://learn.microsoft.com/en-us/exchange/plan-and-deploy/supportability-matrix?view=exchserver-2019#microsoft-net-framework

Run each step separately running from an ELEVATED PROMPT.
Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareSchema
Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareAD
Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareAllDomains

BEFORE INSTALLING CU11: Verify that you have a valid Oauth Cert with the Health Checker:
https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/

Renew the OAuth cert if necessary:
https://learn.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oauth-expired?preserve-view=true#resolution

Then install CU11 running from an ELEVATED PROMPT.:
CU11:
https://support.microsoft.com/en-gb/topic/cumulative-update-11-for-exchange-server-2019-kb5005334-93fc6a41-faa4-424e-9dcb-27081360872b

Then install the latest security patch running from an ELEVATED PROMPT:

Critical Patch:
https://www.microsoft.com/en-us/download/details.aspx?id=103545

Verify with the Health Checker:
https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-health-checker-has-a-new-home/ba-p/2306671

Troubleshooting:
https://learn.microsoft.com/en-us/exchange/troubleshoot/client-connectivity/exchange-security-update-issues

Once you are patched, you need to investigate to see if your server has been compromised and scan you server for known exploits:

https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/

Microsoft Support Emergency Response Tool (MSERT) to scan Microsoft Exchange Server

https://learn.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/

If you find no evidence of actual compromise, then you are probably ok, but look to getting a quality anti-malware solution for Exchange for ongoing protection.

If any of your security detections or the investigation tools results lead you to suspect that your Exchange servers have been compromised and an attacker has actively engaged in your environment, execute your Security Incident Response plans, and consider engaging experienced Incident Response assistance. It is particularly critical if you suspect that your Exchange environment is compromised by a persistent adversary that you coordinate your response using alternative communications channels as mentioned earlier in this document.