Forum Discussion
gigits
Sep 30, 2021Copper Contributor
hello darkness my old friend worrying emails in draft
hi everyone, we run on premise exchange 2019 and outlook clients keep showing a email message in Draft folder with content - "hello darkness my old friend" server is fully patch with latest cu but message keeps coming back. Any idea how to prevent this? Thanks
- James1Brass ContributorHello, we are currently facing the same issue on Exchange 2016. Yesterday we patched the server fully (altough it failed the installation at the last step, but all the services are working and it is showing as the latest).
However as you it did not solve the issue. We are rescanning the server using MSERT, later will apply Exchange mitigation tool and let you know the results.- BerndWCopper Contributor
Hi there,
we are facing the same strange mails with Exchange 2016. We are just updating to CU22 and did not find any evidence of a virus/backdoor at all. MSERT shows nothing and I cannot find any strange webhooks, aspx files or other things.
Mails still keep coming.
Did you find any clue?
Best regards,
Bernd
- James1Brass Contributor
BerndW For us we indeed notice some webhooks under the Program Files, applicationHost.config has been altered aswell - there been virtual directories added. We deleted those, fully patched the server, did multiple MSRT full scans. After that the mails in the draft still apeared.
We fully deleted those mails from user boxes via
Get-Mailbox | Search-Mailbox -SearchQuery 'attachment:FileAttachment.txt' -DeleteContent
You can check if you have those emails here
Get-Mailbox | Search-Mailbox -SearchQuery 'attachment:FileAttachment.txt' -EstimateResultOnly | Select-Object -Property Identity, ResultItemsCount
After deletion those emails are no longer appearing, however were still monitoring, also a fresh Exchange server is in the works.