Link to home
Start Free TrialLog in
Avatar of SooHow Cheng
SooHow ChengFlag for Singapore

asked on

How more and more phishing mails on Exchange server, what to do?

This is using MS Exchange server 2019 onprem. Last 3 days, few users reported that they were sending emails to the inside users that in actual fact they didn't. The similarity found on these emails are, there are 2 "links" that look like these,


Good day! I send here a recordwith a thorough explanation of the recent accident. Please examine it here:
 
 
 1)turtlebaytrading.com/earumdelectus/doloremut-2632883
 
 2)shopyzoon.com/sunttempore/utvoluptas-2632883
 

Please login Zoom with the following on Monday (4 May) 9.20am
 
 
 
https://zoom.us/j/<<link-text-edited>>
 
Meeting ID: 999 999 9999
 
Password:abc123
 

Could these be the recent exploit by so called ProxyShell especially for those exchange server not patched with october patches? However, the upon server is already patched with October. One more thing is, Gfi MailEssentials are deployed but could this help?


Thanks,

Avatar of Seth Simmons
Seth Simmons
Flag of United States of America image

Last 3 days, few users reported that they were sending emails to the inside users that in actual fact they didn't.

I would analyze the email headers to see where they originated from (look at message properties in outlook; will appear in internet headers box).
Also make sure your server is not an open relay (mxtoolbox will help).

ASKER CERTIFIED SOLUTION
Avatar of M A
M A
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of SooHow Cheng

ASKER

Hi MAS,

Above patches already applied
Hi Seth,

The headers already checked, one from Zimbawee and other Netherlands.
I would check if your "Gfi MailEssentials" is updated too.
Aside from what was already said.
One thing I find that helps is to add a disclaimer in any emails that come from outside (helps the users notice that the email is not an internal message)
The setup is fairly easy
Just create a rule something like this:
User generated image
Hi MAS,

I found out from my coworker that he actually patch after the incident happened.
Now, no more such a phishing mail sny more.