I'm the administrator of a school district with 1400+ users. We have two Exchange 2007 servers (one as the hub/transport, the other hosting the mailboxes), and utilize an onsite Sophos Spam Filtering appliance. All internal port 25 traffic is routed to the Exchange servers only, the Exchange servers route to the filter, and the filter is the only device that can send port 25 traffic through the firewall. Our clients are all Windows 7 professional, running Office 2013. We allow end users to set up mail on iOS devices using OWA. Remote Windows clients can get to their mailboxes using either OWA or ActiveSync.
Last week one of our users (who hasn't been in the district since mid-June) email accounts began spamming out to the world. The hub/transport server showed thousands of outbound messages in the queue emanating from her account. Her district computer was turned off. We disabled her account, cleared the queues, and began damage control.
I contacted her at home, and found that she accesses school email using her iPhone (OWA connection in the native mail client) and via a personal laptop using OWA through Internet Explorer. I asked her if she'd run into any virus/malware issues recently, and she stated that her laptop was infected, but she had it in and the problem was resolved by a tech company a couple of weeks ago. This seemed suspicious, so I asked her to have them take another look.
The next day the tech company reported that there were no signs of malware on her laptop, nor was there anything in quarantine that might account for the spam. We were stumped as to the cause of the outbreak, enabled her account again. We did ask her not to enable mail on her iPhone, but to only utilize OWA on her laptop. After three days, there has been no sign of spam from her account.
However, later on Friday I was confronted with another district user having a similar issue. This person was actively working in the district, although scans with SCCM's AV and Sophos' workstation agent found nothing out of the ordinary. The coincidental note here is that this user, like the first, has her email configured on her iPhone using OWA. At this point, we've left her account disabled.
I'm stumped here... our Apple tech says that there are still no known viruses for iOS devices (at least that he's aware of). I'm less convinced, but don't have any information to refute him.
This seems like a standard spambot, but I've not heard of malware being able to use OWA as a transport method for spam. I always assumed that the malware had to be resident on a workstation with Outlook configured.
Does anyone have any ideas on what might be happening, or on what steps I should take next? Since the iPhones and laptops in question aren't district devices, I'm prohibited by policy from bringing them in to take a look at them, which is really hampering my investigation.
Any help would be appreciated!