Exchange Server was exploit and used to send spam email

Brass Contributor

over past two day we seen there are lots of outgoing email and none of them are from our environment, email address are faked and keep sending to external user. 


we would like to know how to prevent this and reduce the likelihood of this issues from happening. any outgoing email log we can identify the source and potentially the leak spot. 


thank you! 

4 Replies

Hey @Don_Vlogeer ,


Do you actually see emails sitting in users' sent items or are able to see emails sent to external users using your exchange box using message trace? If you actually see emails leaving your exchange box then your environment has been compromised.


However, if you can't find emails that were sent out to an external user anywhere on your exchange server box, you will have to get the header of the email from an external user who actually received it. Upon examining the header you can check where the email actually originated from.


Most likely your domain is being spoofed and is being used to send out emails to external parties. That's how SMTP protocol was built and you can not stop spoofing. There are free tools available to send fake emails.

You can enable DKIM on your domain so that every email you do actually send out from your exchange server has a signature embedded, That being said it is still on the receiver to check for DKIM/Signature against the emails they receive to verify if it actually came from you guys.

Hello Don,

We are investiging similar messages and messages primarily for non existing domains in our environments. In our case mostly for and domains, although totally not relevant for any of our organizations. We don’t expect any of our organizations is compromised and so far we trace it back to a new form of spoofing or tricking spamfilters. All out Exchange farms are behind different isolated relay solutions.

Mails are related to payments and bitcoin frauds. Also classical “we see what you are doing online” messages.


So far we see it has stopped at dec4 22:10 EU time.

I will update here if we find some interesting details that are worth sharing.

In any case I suggest you to send an internal message that users should be careful.

Kind regards,


We closed the case internally as we see this as a new form of spam that tweaked known algo's. Now all mail messages are picked up by antispam, so probably they found a new way to get passed them. We performed checks on various systemens and see no reason to continue the research for now. However, we will do extra monitoring on abnormal mail activity.


here are some updates seen on from our environment


I ran message tracking and found out there are strange outgoing email. for example email address removed for privacy reasons send email to email address removed for privacy reasons. But within our environment there is no mailbox email address removed for privacy reasons   


Is spammer using our server FQDN and relay email anonymously? I have disable the anonymous permission group from default frontend connector but still no help. 



Is there anyway we can eliminate anonymous relay or prevent this from happening