hello darkness my old friend worrying emails in draft

BerndW For us we indeed notice some webhooks under the Program Files, applicationHost.config has been altered aswell - there been virtual directories added. We deleted those, fully patched the server, did multiple MSRT full scans. After that the mails in the draft still apeared. 

We fully deleted those mails from user boxes via 

Get-Mailbox | Search-Mailbox -SearchQuery 'attachment:FileAttachment.txt' -DeleteContent

You can check if you have those emails here

Get-Mailbox | Search-Mailbox -SearchQuery 'attachment:FileAttachment.txt' -EstimateResultOnly | Select-Object -Property Identity, ResultItemsCount

After deletion those emails are no longer appearing, however were still monitoring, also a fresh Exchange server is in the works.

We had the exact same issue with 3 different iterations in the spam folder. Turns out you are indeed compromised. Windows Defender found multiple infected files. Tried Sophos as well and it found nothing. To remediate we first removed all access from outside the organization "OWA". Next we built a new Exchange server and migrated the roles to the new server. Just finished migrating the last mailboxes this weekend to the new server and will be decommishioning the old server this week.  I will attach links to refrences we recieved from the NYS Cyber Response Team.

It's part of an attack chain discovered by Orange Tsai that exploits Proxyshell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and was discussed recently at Blackhat.  FireEye mentions it here:

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fprotect2.fireeye.com%2Fv1%2Furl%3Fk%3D6ea9ce9e-3132f78f-6eab37ab-000babd9fe9f-90828a38b2422702%26q%3D1%26e%3D85367af3-a797-4ba8-ba54-f0f2cb5e9406%26u%3Dhttps%253A%252F%252Fgcc02.safelinks.protection.outlook.com%252F%253Furl%253Dhttps%25253A%25252F%25252Fprotect2.fireeye.com%25252Fv1%25252Furl%25253Fk%25253D98b55372-c72e6baf-98b7aa47-0cc47aa8c6e0-50fdb270e57bddc2%252526q%25253D1%252526e%25253D67ae17f6-36cb-41e8-993a-3a373ba9d51a%252526u%25253Dhttps%2525253A%2525252F%2525252Fna01.safelinks.protection.outlook.com%2525252F%2525253Furl%2525253Dhttps%252525253A%252525252F%252525252Fprotect2.fireeye.com%252525252Fv1%252525252Furl%252525253Fk%252525253Dd8a1668b-873a5faf-d8a39fbe-000babd9f8b3-ca99456a694747ac%2525252526q%252525253D1%2525252526e%252525253D2b6138e7-d3c5-46c2-8850-3e92f4910675%2525252526u%252525253Dhttps%25252525253A%25252525252F%25252525252Fna01.safelinks.protection.outlook.com%25252525252F%25252525253Furl%25252525253Dhttps%2525252525253A%2525252525252F%2525252525252Fprotect2.fireeye.com%2525252525252Fv1%2525252525252Furl%2525252525253Fk%2525252525253D68978a9c-370cb3ae-689573a9-000babd905ee-4d9415f8e315ef9d%25252525252526q%2525252525253D1%25252525252526e%2525252525253D3687522f-0342-4669-a053-29c79990d2c0%25252525252526u%2525252525253Dhttps%252525252525253A%252525252525252F%252525252525252Fgcc02.safelinks.protection.outlook.com%252525252525252F%252525252525253Furl%252525252525253Dhttps%25252525252525253A%25252525252525252F%25252525252525252Fwww.fireeye.com%25252525252525252Fblog%25252525252525252Fthreat-research%25252525252525252F2021%25252525252525252F09%25252525252525252Fproxyshell-exploiting-microsoft-exchange-servers.html%2525252525252526data%252525252525253D04%25252525252525257C01%25252525252525257CJohn.Griffin2%252525252525252540its.ny.gov%25252525252525257Cb91c7f5fc68742af862b08d97de4beda%25252525252525257Cf46cb8ea79004d108ceb80e8c1c81ee7%25252525252525257C0%25252525252525257C0%25252525252525257C637679243664852031%25252525252525257CUnknown%25252525252525257CTWFpbGZsb3d8eyJ

Orange Tsai published his findings here with a lot more detail:

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fprotect2.fireeye.com%2Fv1%2Furl%3Fk%3Dc633e17d-99a8d86c-c6311848-000babd9fe9f-cb6ee1aff7561643%26q%3D1%26e%3D85367af3-a797-4ba8-ba54-f0f2cb5e9406%26u%3Dhttps%253A%252F%252Fgcc02.safelinks.protection.outlook.com%252F%253Furl%253Dhttps%25253A%25252F%25252Fprotect2.fireeye.com%25252Fv1%25252Furl%25253Fk%25253D174d09da-48d63107-174ff0ef-0cc47aa8c6e0-0b7ac0fd52dc8322%252526q%25253D1%252526e%25253D67ae17f6-36cb-41e8-993a-3a373ba9d51a%252526u%25253Dhttps%2525253A%2525252F%2525252Fna01.safelinks.protection.outlook.com%2525252F%2525253Furl%2525253Dhttps%252525253A%252525252F%252525252Fprotect2.fireeye.com%252525252Fv1%252525252Furl%252525253Fk%252525253D55f1d74e-0a6aee6a-55f32e7b-000babd9f8b3-28016d2cae59df2d%2525252526q%252525253D1%2525252526e%252525253D2b6138e7-d3c5-46c2-8850-3e92f4910675%2525252526u%252525253Dhttps%25252525253A%25252525252F%25252525252Fna01.safelinks.protection.outlook.com%25252525252F%25252525253Furl%25252525253Dhttps%2525252525253A%2525252525252F%2525252525252Fprotect2.fireeye.com%2525252525252Fv1%2525252525252Furl%2525252525253Fk%2525252525253D0dd85431-52436d03-0ddaad04-000babd905ee-c7c423b0863e76d4%25252525252526q%2525252525253D1%25252525252526e%2525252525253D3687522f-0342-4669-a053-29c79990d2c0%25252525252526u%2525252525253Dhttps%252525252525253A%252525252525252F%252525252525252Fgcc02.safelinks.protection.outlook.com%252525252525252F%252525252525253Furl%252525252525253Dhttps%25252525252525253A%25252525252525252F%25252525252525252Fprotect2.fireeye.com%25252525252525252Fv1%25252525252525252Furl%25252525252525253Fk%25252525252525253Dcbc9e16a-9452d871-cbcb185f-0cc47a6d17e0-c85eb1f127a295a7%252525252525252526q%25252525252525253D1%252525252525252526e%25252525252525253D38cb82d4-99df-41b2-a038-44a596f58aa6%252525252525252526u%25252525252525253Dhttps%2525252525252525253A%2525252525252525252F%2525252525252525252Fwww.zerodayinitiative.com%2525252525252525252Fblog%2525252525252525252F2021%2525252525252525252F8%2525252525252525252F17%2525252525252525252Ffrom-pwn2own-2021-a-new-atta

Below is a link to a translated Chinese-language article that discusses more of Orange Tsai's findings and specifically mentions the "welcome to darkness side" text, etc.

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fprotect2.fireeye.com%2Fv1%2Furl%3Fk%3Df2aa0ad0-ad3133c1-f2a8f3e5-000babd9fe9f-6636783eece894aa%26q%3D1%26e%3D85367af3-a797-4ba8-ba54-f0f2cb5e9406%26u%3Dhttps%253A%252F%252Fgcc02.safelinks.protection.outlook.com%252F%253Furl%253Dhttps%25253A%25252F%25252Fprotect2.fireeye.com%25252Fv1%25252Furl%25253Fk%25253D6b58e62d-34c3def0-6b5a1f18-0cc47aa8c6e0-ce76094a95880d93%252526q%25253D1%252526e%25253D67ae17f6-36cb-41e8-993a-3a373ba9d51a%252526u%25253Dhttps%2525253A%2525252F%2525252Fna01.safelinks.protection.outlook.com%2525252F%2525253Furl%2525253Dhttps%252525253A%252525252F%252525252Fprotect2.fireeye.com%252525252Fv1%252525252Furl%252525253Fk%252525253Dd2ff1d88-8d6424ac-d2fde4bd-000babd9f8b3-376ed1fb059b6196%2525252526q%252525253D1%2525252526e%252525253D2b6138e7-d3c5-46c2-8850-3e92f4910675%2525252526u%252525253Dhttps%25252525253A%25252525252F%25252525252Fna01.safelinks.protection.outlook.com%25252525252F%25252525253Furl%25252525253Dhttps%2525252525253A%2525252525252F%2525252525252Fprotect2.fireeye.com%2525252525252Fv1%2525252525252Furl%2525252525253Fk%2525252525253Dbbe1be4b-e47a8779-bbe3477e-000babd905ee-2b15f80f164e0c13%25252525252526q%2525252525253D1%25252525252526e%2525252525253D3687522f-0342-4669-a053-29c79990d2c0%25252525252526u%2525252525253Dhttps%252525252525253A%252525252525252F%252525252525252Fgcc02.safelinks.protection.outlook.com%252525252525252F%252525252525253Furl%252525252525253Dhttps%25252525252525253A%25252525252525252F%25252525252525252Fprotect2.fireeye.com%25252525252525252Fv1%25252525252525252Furl%25252525252525253Fk%25252525252525253Dcab2c035-9529f92e-cab03900-0cc47a6d17e0-bc72fdeb8e9aa044%252525252525252526q%25252525252525253D1%252525252525252526e%25252525252525253D38cb82d4-99df-41b2-a038-44a596f58aa6%252525252525252526u%25252525252525253Dhttps%2525252525252525253A%2525252525252525252F%2525252525252525252Ftranslate.google.com%2525252525252525252Ftranslate%2525252525252525253Fhl%2525252525252525253Den%25252525252525252526sl%2525252525252525253Dzh-CN%25252525252525252526u%252

Github post/Python script that references the text as well.

Original: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fprotect2.fireeye.com%2Fv1%2Furl%3Fk%3D53aaa3eb-0c319afa-53a85ade-000babd9fe9f-563cd7a8d01a426e%26q%3D1%26e%3D85367af3-a797-4ba8-ba54-f0f2cb5e9406%26u%3Dhttps%253A%252F%252Fgcc02.safelinks.protection.outlook.com%252F%253Furl%253Dhttps%25253A%25252F%25252Fprotect2.fireeye.com%25252Fv1%25252Furl%25253Fk%25253D59d9bdde-06428503-59db44eb-0cc47aa8c6e0-4e6cb68041c29b79%252526q%25253D1%252526e%25253D67ae17f6-36cb-41e8-993a-3a373ba9d51a%252526u%25253Dhttps%2525253A%2525252F%2525252Fna01.safelinks.protection.outlook.com%2525252F%2525253Furl%2525253Dhttps%252525253A%252525252F%252525252Fprotect2.fireeye.com%252525252Fv1%252525252Furl%252525253Fk%252525253Dd08c7aba-8f17439e-d08e838f-000babd9f8b3-5a96e7e67144fadd%2525252526q%252525253D1%2525252526e%252525253D2b6138e7-d3c5-46c2-8850-3e92f4910675%2525252526u%252525253Dhttps%25252525253A%25252525252F%25252525252Fna01.safelinks.protection.outlook.com%25252525252F%25252525253Furl%25252525253Dhttps%2525252525253A%2525252525252F%2525252525252Fprotect2.fireeye.com%2525252525252Fv1%2525252525252Furl%2525252525253Fk%2525252525253D730fce21-2c94f713-730d3714-000babd905ee-bb701351fba2afcd%25252525252526q%2525252525253D1%25252525252526e%2525252525253D3687522f-0342-4669-a053-29c79990d2c0%25252525252526u%2525252525253Dhttps%252525252525253A%252525252525252F%252525252525252Fgcc02.safelinks.protection.outlook.com%252525252525252F%252525252525253Furl%252525252525253Dhttps%25252525252525253A%25252525252525252F%25252525252525252Fprotect2.fireeye.com%25252525252525252Fv1%25252525252525252Furl%25252525252525253Fk%25252525252525253Da9c30cc4-f65835df-a9c1f5f1-0cc47a6d17e0-c0f422e8952437ae%252525252525252526q%25252525252525253D1%252525252525252526e%25252525252525253D38cb82d4-99df-41b2-a038-44a596f58aa6%252525252525252526u%25252525252525253Dhttps%2525252525252525253A%2525252525252525252F%2525252525252525252Fgithub.com%2525252525252525252Fdmaasland%2525252525252525252Fproxyshell-poc%2525252525252525252Fblob%2525252525252525252Fmain%2525252525252525252Fproxyshell_rce.py%25252

BerndW