question

JOETAM-1112 avatar image
0 Votes"
JOETAM-1112 asked yklam-2911 answered

Unexpected Spam email in Outlook Draft folder

Dear sir,

 A user found that he has 2 unexpected email in his draft folder today, the message is not belonged to him. Server is Exchange 2019, Outlook is also version 2019.  

The email subject name is created by random character: atsgtzpuisiumus , another same email subject is : asdfareafaas.

Inside the email content, both are the same single sentence: "hello darkness my old friend".

 It seems that it is an unexpected spam message.  May I know how to check why the message can exist inside user of "Draft" folder? 

Any suggestion to trace or prevent such message? Or PC has been hacked by virus?

Regards,
Joe Tam



office-outlook-itprooffice-exchange-server-itpro
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello.
We just recovered and investigated a ransomware attack where this was found after recovery was completed.
Your exchange server has been compromised.
These outbound messages are being used to advertise your server to the darkweb as "available for hacking" and will be sold. The buyer may purchase a ransomware as a service then use the hook to easily deploy ransomware with little effort.

You need to run the microsoft safety scanner (called MSERT) to help remove the hook they have in place and immediately install the latest exchange CU and security patches. Its not a matter of if but when your server will be attacked otherwise.

Good luck with this!

1 Vote 1 ·

Just had this happen to me and it started 9/7/21

the hackers were attempting to use the random drafts and export them.

on inhouse exchange founds files in wwwroot/netframework64 and used windows defender to remove them
found it was coming from Netherlands: 95.179.145.105

0 Votes 0 ·

@JOETAM-1112

Any update about this thread now? Whether this phenomenon gone?
If the suggestion below helps, please be free to accept it as an answer for helping more people.

0 Votes 0 ·
AndyDavid avatar image
0 Votes"
AndyDavid answered AndyDavid edited

I suspect your server has been hacked:
https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html

Have you applied the latest July critical security updates for Exchange?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Samijuke-5594 avatar image
0 Votes"
Samijuke-5594 answered

Hello,

I have the same drafts from a user, with the same subject "hello darkness my old friend".

Bitdefender antivirus shows nothing, the PC and office suite 2019 are up to date, as well as Exchange 2019.

If you have more info I'm interested.

Best regards

Sami

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered Samijuke-5594 commented
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks !

0 Votes 0 ·
KyleXu-MSFT avatar image
1 Vote"
KyleXu-MSFT answered Samijuke-5594 commented

@JOETAM-1112

Here is a blog from Microsoft, it said: ProxyShell vulnerabilities and your Exchange Server

Your Exchange servers are vulnerable if any of the following are true:

  • The server is running an older, unsupported CU (without May 2021 SU);

  • The server is running security updates for older, unsupported versions of Exchange that were released in March 2021; or

  • The server is running an older, unsupported CU, with the March 2021 EOMT mitigations applied.

In all of the above scenarios, you must install one of latest supported CUs and all applicable SUs to be protected. Any Exchange servers that are not on a supported CU and the latest available SU are vulnerable to ProxyShell and other attacks that leverage older vulnerabilities.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

indeed it is the proxyshell vulnerability, we have updated Exchange on our side

0 Votes 0 ·

Hi,
We are experiencing the same issue. Which CU did you upgrade from?

We are currently running CU4.

Thank you

0 Votes 0 ·

Exchange 2019 CU 10 ;)

0 Votes 0 ·
MaxFury-8335 avatar image
0 Votes"
MaxFury-8335 answered Samijuke-5594 commented

I too have faced such a problem. If I can get any help from here then I will be grateful.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi !

update your exchange server and you will be protected

1 Vote 1 ·
yklam-2911 avatar image
0 Votes"
yklam-2911 answered

I facing the same issues on Exchange 2016 CU20.

After I ran EOMT.ps1 and MSERT.exe, it found infected by backdoor,
MSIL/Chopper.F!dha
MSIL/AgenteslaPacker!MTB
ASP/WebShell.C!MTB

The results show already removed some suspicious files.
But it still coming back.

I patched it with (for CU20),
KB5003435 (CVE-2021-31195, CVE-2021-31198, CVE-2021-31207, CVE-2021-31209) and
KB5004779 (CVE-2021-31196, CVE-2021-31206)

So far, no more issues. (finger cross)

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.