Forum Discussion
hello darkness my old friend worrying emails in draft
Hi there,
we are facing the same strange mails with Exchange 2016. We are just updating to CU22 and did not find any evidence of a virus/backdoor at all. MSERT shows nothing and I cannot find any strange webhooks, aspx files or other things.
Mails still keep coming.
Did you find any clue?
Best regards,
Bernd
BerndW For us we indeed notice some webhooks under the Program Files, applicationHost.config has been altered aswell - there been virtual directories added. We deleted those, fully patched the server, did multiple MSRT full scans. After that the mails in the draft still apeared.
We fully deleted those mails from user boxes via
Get-Mailbox | Search-Mailbox -SearchQuery 'attachment:FileAttachment.txt' -DeleteContent
You can check if you have those emails here
Get-Mailbox | Search-Mailbox -SearchQuery 'attachment:FileAttachment.txt' -EstimateResultOnly | Select-Object -Property Identity, ResultItemsCount
After deletion those emails are no longer appearing, however were still monitoring, also a fresh Exchange server is in the works.
- Hi James,
thanks for your info and the powershell commands. I'll let our customer run both. I'm still hoping that we don't have to reinstall the cluster.
Best regards,
BerndBerndWHi, did it work on you, where did you run the command, is it from the Exchange server or in the user computer? Thanks for the reply 🙂
