Brass Contributor

i received malware from internal email address in the same organisation , when i reviewed malware report notice that sender and receiver in the same organisation and that user didn't send any email .

How can i resolve that problem ??

1 Reply

Hey @Walid Fawzy,


It sounds like you have a compromised user!


I would immediately do a few things:

- Disable that user account/block login access

- Run Antivirus and Antimalware scans on the users devices, make sure you are not going to change the password and just immediately compromise that user again


Once you are confident their devices are clean.....

- Reset their password in AD if they are local, or in the cloud if they are not.

- Assume if they use that password for anything else that has also been compromised, and have them change/update them locally as well

- Run a message trace for any mail sent by your compromised user over the last few days, make sure other users in your org did not get the same junk sent to them. If anyone has, follow up when them and run antivirus etc scans on them too.

- Run another message trace for the malicious email you saw, then go through the process of deleting it (



Once all of that is done hopefully the situation is good. Perhaps talk to your user and figure out what behavior caused them to get compromised, but for now focus on limiting impact and protecting yourself.