asked on How more and more phishing mails on Exchange server, what to do?
This is using MS Exchange server 2019 onprem. Last 3 days, few users reported that they were sending emails to the inside users that in actual fact they didn't. The similarity found on these emails are, there are 2 "links" that look like these,
Good day! I send here a recordwith a thorough explanation of the recent accident. Please examine it here:
1)turtlebaytrading.com/earumdelectus/doloremut-2632883
2)shopyzoon.com/sunttempore/utvoluptas-2632883
Please login Zoom with the following on Monday (4 May) 9.20am
https://zoom.us/j/<<link-text-edited>>
Meeting ID: 999 999 9999
Password:abc123
Could these be the recent exploit by so called ProxyShell especially for those exchange server not patched with october patches? However, the upon server is already patched with October. One more thing is, Gfi MailEssentials are deployed but could this help?
Thanks,
Above patches already applied
The headers already checked, one from Zimbawee and other Netherlands.
One thing I find that helps is to add a disclaimer in any emails that come from outside (helps the users notice that the email is not an internal message)
The setup is fairly easy
Just create a rule something like this:
I found out from my coworker that he actually patch after the incident happened.
Now, no more such a phishing mail sny more.
I would analyze the email headers to see where they originated from (look at message properties in outlook; will appear in internet headers box).
Also make sure your server is not an open relay (mxtoolbox will help).