Hi, we recently got hacked... thru port 443. Caught the attack early, started around 6pm Friday. It spread only to the domain controllers after the exchange server. Unfortunately our daily backup is run at 7pm so the last 100% good backup is 7pm on Thursday night. I've restored the 2 domain controllers to 2 good versions and I'm building 2 new clean domain controllers to replace asap.
Management wants email backup by Monday am. I've had a support ticket open with Microsoft since early Saturday morning with no callback yet. Apparently Microsoft support has been over run with Exchange attacks and open tickets etc.
I may have to tackle this myself. I'm not 100% convinced the EDB files I have from the Friday 7pm backup is messed up.. I know the OS/Exchange install seems to be. I've cleaned the server with Avast etc and I don't believe there is any more malware running. Ideally I will see if I can get the mailboxes mounted enough to transfer to a new server.
Failing that, If I restore to that backup 7pm day before (and obviously patch everything to 100% asap) what will happen to email in the users mailbox that will be in the local outlook etc? All our mail is queued at a filtering appliance so I can manually re-delivery all the inbound mail again. I'm wondering if there is anyway to preserver outbound/sent items? Majority of staff would of had Outlook open Friday end of day, maybe a few only using phone etc. What happens to items that are in local outlook OST? Orphans? Do they re-insert into the exchange mailbox?