Forum Discussion

Don_Vlogeer's avatar
Don_Vlogeer
Brass Contributor
Dec 05, 2022

Exchange Server was exploit and used to send spam email

over past two day we seen there are lots of outgoing email and none of them are from our environment, email address are faked and keep sending to external user.    we would like to know how to prev...
2016
exchange online
Exchange Server
hybrid
outlook
christiaan-nl's avatar
christiaan-nl
Brass Contributor
Dec 05, 2022

Hello Don,

We are investiging similar messages and messages primarily for non existing domains in our environments. In our case mostly for .com.br and .com.ar domains, although totally not relevant for any of our organizations. We don’t expect any of our organizations is compromised and so far we trace it back to a new form of spoofing or tricking spamfilters. All out Exchange farms are behind different isolated relay solutions.

Mails are related to payments and bitcoin frauds. Also classical “we see what you are doing online” messages.

 

So far we see it has stopped at dec4 22:10 EU time.


I will update here if we find some interesting details that are worth sharing.

In any case I suggest you to send an internal message that users should be careful.

Kind regards,

Christiaan

  • christiaan-nl's avatar
    christiaan-nl
    Brass Contributor
    Dec 06, 2022
    We closed the case internally as we see this as a new form of spam that tweaked known algo's. Now all mail messages are picked up by antispam, so probably they found a new way to get passed them. We performed checks on various systemens and see no reason to continue the research for now. However, we will do extra monitoring on abnormal mail activity.

Resources