hello darkness my old friend worrying emails in draft

We had the exact same issue with 3 different iterations in the spam folder. Turns out you are indeed compromised. Windows Defender found multiple infected files. Tried Sophos as well and it found nothing. To remediate we first removed all access from outside the organization "OWA". Next we built a new Exchange server and migrated the roles to the new server. Just finished migrating the last mailboxes this weekend to the new server and will be decommishioning the old server this week.  I will attach links to refrences we recieved from the NYS Cyber Response Team.

It's part of an attack chain discovered by Orange Tsai that exploits Proxyshell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and was discussed recently at Blackhat.  FireEye mentions it here:

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fprotect2.fireeye.com%2Fv1%2Furl%3Fk%3D6ea9ce9e-3132f78f-6eab37ab-000babd9fe9f-90828a38b2422702%26q%3D1%26e%3D85367af3-a797-4ba8-ba54-f0f2cb5e9406%26u%3Dhttps%253A%252F%252Fgcc02.safelinks.protection.outlook.com%252F%253Furl%253Dhttps%25253A%25252F%25252Fprotect2.fireeye.com%25252Fv1%25252Furl%25253Fk%25253D98b55372-c72e6baf-98b7aa47-0cc47aa8c6e0-50fdb270e57bddc2%252526q%25253D1%252526e%25253D67ae17f6-36cb-41e8-993a-3a373ba9d51a%252526u%25253Dhttps%2525253A%2525252F%2525252Fna01.safelinks.protection.outlook.com%2525252F%2525253Furl%2525253Dhttps%252525253A%252525252F%252525252Fprotect2.fireeye.com%252525252Fv1%252525252Furl%252525253Fk%252525253Dd8a1668b-873a5faf-d8a39fbe-000babd9f8b3-ca99456a694747ac%2525252526q%252525253D1%2525252526e%252525253D2b6138e7-d3c5-46c2-8850-3e92f4910675%2525252526u%252525253Dhttps%25252525253A%25252525252F%25252525252Fna01.safelinks.protection.outlook.com%25252525252F%25252525253Furl%25252525253Dhttps%2525252525253A%2525252525252F%2525252525252Fprotect2.fireeye.com%2525252525252Fv1%2525252525252Furl%2525252525253Fk%2525252525253D68978a9c-370cb3ae-689573a9-000babd905ee-4d9415f8e315ef9d%25252525252526q%2525252525253D1%25252525252526e%2525252525253D3687522f-0342-4669-a053-29c79990d2c0%25252525252526u%2525252525253Dhttps%252525252525253A%252525252525252F%252525252525252Fgcc02.safelinks.protection.outlook.com%252525252525252F%252525252525253Furl%252525252525253Dhttps%25252525252525253A%25252525252525252F%25252525252525252Fwww.fireeye.com%25252525252525252Fblog%25252525252525252Fthreat-research%25252525252525252F2021%25252525252525252F09%25252525252525252Fproxyshell-exploiting-microsoft-exchange-servers.html%2525252525252526data%252525252525253D04%25252525252525257C01%25252525252525257CJohn.Griffin2%252525252525252540its.ny.gov%25252525252525257Cb91c7f5fc68742af862b08d97de4beda%25252525252525257Cf46cb8ea79004d108ceb80e8c1c81ee7%25252525252525257C0%25252525252525257C0%25252525252525257C637679243664852031%25252525252525257CUnknown%25252525252525257CTWFpbGZsb3d8eyJ

Orange Tsai published his findings here with a lot more detail:

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fprotect2.fireeye.com%2Fv1%2Furl%3Fk%3Dc633e17d-99a8d86c-c6311848-000babd9fe9f-cb6ee1aff7561643%26q%3D1%26e%3D85367af3-a797-4ba8-ba54-f0f2cb5e9406%26u%3Dhttps%253A%252F%252Fgcc02.safelinks.protection.outlook.com%252F%253Furl%253Dhttps%25253A%25252F%25252Fprotect2.fireeye.com%25252Fv1%25252Furl%25253Fk%25253D174d09da-48d63107-174ff0ef-0cc47aa8c6e0-0b7ac0fd52dc8322%252526q%25253D1%252526e%25253D67ae17f6-36cb-41e8-993a-3a373ba9d51a%252526u%25253Dhttps%2525253A%2525252F%2525252Fna01.safelinks.protection.outlook.com%2525252F%2525253Furl%2525253Dhttps%252525253A%252525252F%252525252Fprotect2.fireeye.com%252525252Fv1%252525252Furl%252525253Fk%252525253D55f1d74e-0a6aee6a-55f32e7b-000babd9f8b3-28016d2cae59df2d%2525252526q%252525253D1%2525252526e%252525253D2b6138e7-d3c5-46c2-8850-3e92f4910675%2525252526u%252525253Dhttps%25252525253A%25252525252F%25252525252Fna01.safelinks.protection.outlook.com%25252525252F%25252525253Furl%25252525253Dhttps%2525252525253A%2525252525252F%2525252525252Fprotect2.fireeye.com%2525252525252Fv1%2525252525252Furl%2525252525253Fk%2525252525253D0dd85431-52436d03-0ddaad04-000babd905ee-c7c423b0863e76d4%25252525252526q%2525252525253D1%25252525252526e%2525252525253D3687522f-0342-4669-a053-29c79990d2c0%25252525252526u%2525252525253Dhttps%252525252525253A%252525252525252F%252525252525252Fgcc02.safelinks.protection.outlook.com%252525252525252F%252525252525253Furl%252525252525253Dhttps%25252525252525253A%25252525252525252F%25252525252525252Fprotect2.fireeye.com%25252525252525252Fv1%25252525252525252Furl%25252525252525253Fk%25252525252525253Dcbc9e16a-9452d871-cbcb185f-0cc47a6d17e0-c85eb1f127a295a7%252525252525252526q%25252525252525253D1%252525252525252526e%25252525252525253D38cb82d4-99df-41b2-a038-44a596f58aa6%252525252525252526u%25252525252525253Dhttps%2525252525252525253A%2525252525252525252F%2525252525252525252Fwww.zerodayinitiative.com%2525252525252525252Fblog%2525252525252525252F2021%2525252525252525252F8%2525252525252525252F17%2525252525252525252Ffrom-pwn2own-2021-a-new-atta

Below is a link to a translated Chinese-language article that discusses more of Orange Tsai's findings and specifically mentions the "welcome to darkness side" text, etc.

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fprotect2.fireeye.com%2Fv1%2Furl%3Fk%3Df2aa0ad0-ad3133c1-f2a8f3e5-000babd9fe9f-6636783eece894aa%26q%3D1%26e%3D85367af3-a797-4ba8-ba54-f0f2cb5e9406%26u%3Dhttps%253A%252F%252Fgcc02.safelinks.protection.outlook.com%252F%253Furl%253Dhttps%25253A%25252F%25252Fprotect2.fireeye.com%25252Fv1%25252Furl%25253Fk%25253D6b58e62d-34c3def0-6b5a1f18-0cc47aa8c6e0-ce76094a95880d93%252526q%25253D1%252526e%25253D67ae17f6-36cb-41e8-993a-3a373ba9d51a%252526u%25253Dhttps%2525253A%2525252F%2525252Fna01.safelinks.protection.outlook.com%2525252F%2525253Furl%2525253Dhttps%252525253A%252525252F%252525252Fprotect2.fireeye.com%252525252Fv1%252525252Furl%252525253Fk%252525253Dd2ff1d88-8d6424ac-d2fde4bd-000babd9f8b3-376ed1fb059b6196%2525252526q%252525253D1%2525252526e%252525253D2b6138e7-d3c5-46c2-8850-3e92f4910675%2525252526u%252525253Dhttps%25252525253A%25252525252F%25252525252Fna01.safelinks.protection.outlook.com%25252525252F%25252525253Furl%25252525253Dhttps%2525252525253A%2525252525252F%2525252525252Fprotect2.fireeye.com%2525252525252Fv1%2525252525252Furl%2525252525253Fk%2525252525253Dbbe1be4b-e47a8779-bbe3477e-000babd905ee-2b15f80f164e0c13%25252525252526q%2525252525253D1%25252525252526e%2525252525253D3687522f-0342-4669-a053-29c79990d2c0%25252525252526u%2525252525253Dhttps%252525252525253A%252525252525252F%252525252525252Fgcc02.safelinks.protection.outlook.com%252525252525252F%252525252525253Furl%252525252525253Dhttps%25252525252525253A%25252525252525252F%25252525252525252Fprotect2.fireeye.com%25252525252525252Fv1%25252525252525252Furl%25252525252525253Fk%25252525252525253Dcab2c035-9529f92e-cab03900-0cc47a6d17e0-bc72fdeb8e9aa044%252525252525252526q%25252525252525253D1%252525252525252526e%25252525252525253D38cb82d4-99df-41b2-a038-44a596f58aa6%252525252525252526u%25252525252525253Dhttps%2525252525252525253A%2525252525252525252F%2525252525252525252Ftranslate.google.com%2525252525252525252Ftranslate%2525252525252525253Fhl%2525252525252525253Den%25252525252525252526sl%2525252525252525253Dzh-CN%25252525252525252526u%252

Github post/Python script that references the text as well.

Original: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fprotect2.fireeye.com%2Fv1%2Furl%3Fk%3D53aaa3eb-0c319afa-53a85ade-000babd9fe9f-563cd7a8d01a426e%26q%3D1%26e%3D85367af3-a797-4ba8-ba54-f0f2cb5e9406%26u%3Dhttps%253A%252F%252Fgcc02.safelinks.protection.outlook.com%252F%253Furl%253Dhttps%25253A%25252F%25252Fprotect2.fireeye.com%25252Fv1%25252Furl%25253Fk%25253D59d9bdde-06428503-59db44eb-0cc47aa8c6e0-4e6cb68041c29b79%252526q%25253D1%252526e%25253D67ae17f6-36cb-41e8-993a-3a373ba9d51a%252526u%25253Dhttps%2525253A%2525252F%2525252Fna01.safelinks.protection.outlook.com%2525252F%2525253Furl%2525253Dhttps%252525253A%252525252F%252525252Fprotect2.fireeye.com%252525252Fv1%252525252Furl%252525253Fk%252525253Dd08c7aba-8f17439e-d08e838f-000babd9f8b3-5a96e7e67144fadd%2525252526q%252525253D1%2525252526e%252525253D2b6138e7-d3c5-46c2-8850-3e92f4910675%2525252526u%252525253Dhttps%25252525253A%25252525252F%25252525252Fna01.safelinks.protection.outlook.com%25252525252F%25252525253Furl%25252525253Dhttps%2525252525253A%2525252525252F%2525252525252Fprotect2.fireeye.com%2525252525252Fv1%2525252525252Furl%2525252525253Fk%2525252525253D730fce21-2c94f713-730d3714-000babd905ee-bb701351fba2afcd%25252525252526q%2525252525253D1%25252525252526e%2525252525253D3687522f-0342-4669-a053-29c79990d2c0%25252525252526u%2525252525253Dhttps%252525252525253A%252525252525252F%252525252525252Fgcc02.safelinks.protection.outlook.com%252525252525252F%252525252525253Furl%252525252525253Dhttps%25252525252525253A%25252525252525252F%25252525252525252Fprotect2.fireeye.com%25252525252525252Fv1%25252525252525252Furl%25252525252525253Fk%25252525252525253Da9c30cc4-f65835df-a9c1f5f1-0cc47a6d17e0-c0f422e8952437ae%252525252525252526q%25252525252525253D1%252525252525252526e%25252525252525253D38cb82d4-99df-41b2-a038-44a596f58aa6%252525252525252526u%25252525252525253Dhttps%2525252525252525253A%2525252525252525252F%2525252525252525252Fgithub.com%2525252525252525252Fdmaasland%2525252525252525252Fproxyshell-poc%2525252525252525252Fblob%2525252525252525252Fmain%2525252525252525252Fproxyshell_rce.py%25252

BerndW