question

JOETAM-1112 avatar image
0 Votes"
JOETAM-1112 asked Cesar-5331 commented

Unexpected Spam email in Outlook Draft folder

Dear sir,

 A user found that he has 2 unexpected email in his draft folder today, the message is not belonged to him. Server is Exchange 2019, Outlook is also version 2019.  

The email subject name is created by random character: atsgtzpuisiumus , another same email subject is : asdfareafaas.

Inside the email content, both are the same single sentence: "hello darkness my old friend".

 It seems that it is an unexpected spam message.  May I know how to check why the message can exist inside user of "Draft" folder? 

Any suggestion to trace or prevent such message? Or PC has been hacked by virus?

Regards,
Joe Tam



office-outlook-itprooffice-exchange-server-itpro
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just had this happen to me and it started 9/7/21

the hackers were attempting to use the random drafts and export them.

on inhouse exchange founds files in wwwroot/netframework64 and used windows defender to remove them
found it was coming from Netherlands: 95.179.145.105

0 Votes 0 ·

@JOETAM-1112

Any update about this thread now? Whether this phenomenon gone?
If the suggestion below helps, please be free to mark it as an answer for helping more people.

0 Votes 0 ·
AndyDavid avatar image
0 Votes"
AndyDavid answered AndyDavid edited

I suspect your server has been hacked:
https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html

Have you applied the latest July critical security updates for Exchange?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Samijuke-5594 avatar image
0 Votes"
Samijuke-5594 answered

Hello,

I have the same drafts from a user, with the same subject "hello darkness my old friend".

Bitdefender antivirus shows nothing, the PC and office suite 2019 are up to date, as well as Exchange 2019.

If you have more info I'm interested.

Best regards

Sami

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered Samijuke-5594 commented
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks !

0 Votes 0 ·
KyleXu-MSFT avatar image
1 Vote"
KyleXu-MSFT answered Cesar-5331 commented

@JOETAM-1112

Here is a blog from Microsoft, it said: ProxyShell vulnerabilities and your Exchange Server

Your Exchange servers are vulnerable if any of the following are true:

  • The server is running an older, unsupported CU (without May 2021 SU);

  • The server is running security updates for older, unsupported versions of Exchange that were released in March 2021; or

  • The server is running an older, unsupported CU, with the March 2021 EOMT mitigations applied.

In all of the above scenarios, you must install one of latest supported CUs and all applicable SUs to be protected. Any Exchange servers that are not on a supported CU and the latest available SU are vulnerable to ProxyShell and other attacks that leverage older vulnerabilities.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

indeed it is the proxyshell vulnerability, we have updated Exchange on our side

0 Votes 0 ·
Cesar-5331 avatar image Cesar-5331 Samijuke-5594 ·

Hi,
We are experiencing the same issue. Which CU did you upgrade from?

We are currently running CU4.

Thank you

0 Votes 0 ·