I believe one of our accounts may have been compromised.
I have a user callled "User" that appears to be relaying mail from an IP that is not in our block.
If I look under Exchange System Mgr. > Servers >Protocols>SMTP> Default>Current Sessions
I see an account called User and a from IP of 18.104.22.168 which I have no idea who that is.
How can I tell which account on my side has been compromised?