We had a successful phishing attempt whereby a couple users were tricked into clicking a link in an email and giving their username and passwords.
Really silly i know.
I can see on our Exchange CAS servers that the phisher then logged in via OWA.
Those compromised mailboxes started spewing out spam.
That's how the problem got noticed.
Our Security department wants to know if protected customer information was accessed in the compromised mailboxes.
I really have no way to determine that.
Like, if an email was Read, or if an attachment was opened..
Our OWA is setup so that it presents a choice of Public Computer or Private Computer at logon.
If Public Computer is chosen then file attachments are blocked.
So would there be anyway to determine if the attacker came in on the Public or Private option?
Upstream of our CAS servers are a couple Forefront TMG servers.
But i'm not finding much of use in Reports on the TMG servers.
Also does anyone know of a company that would be able to perform a forensics analysis of this incident?