Avatar of SooHow Cheng
SooHow Cheng
Flag for Singapore asked on

How more and more phishing mails on Exchange server, what to do?

This is using MS Exchange server 2019 onprem. Last 3 days, few users reported that they were sending emails to the inside users that in actual fact they didn't. The similarity found on these emails are, there are 2 "links" that look like these,


Good day! I send here a recordwith a thorough explanation of the recent accident. Please examine it here:
 
 
 1)turtlebaytrading.com/earumdelectus/doloremut-2632883
 
 2)shopyzoon.com/sunttempore/utvoluptas-2632883
 

Please login Zoom with the following on Monday (4 May) 9.20am
 
 
 
https://zoom.us/j/<<link-text-edited>>
 
Meeting ID: 999 999 9999
 
Password:abc123
 

Could these be the recent exploit by so called ProxyShell especially for those exchange server not patched with october patches? However, the upon server is already patched with October. One more thing is, Gfi MailEssentials are deployed but could this help?


Thanks,

Exchange* Spam blockers

Avatar of undefined
Last Comment
SooHow Cheng

8/22/2022 - Mon
Seth Simmons

Last 3 days, few users reported that they were sending emails to the inside users that in actual fact they didn't.

I would analyze the email headers to see where they originated from (look at message properties in outlook; will appear in internet headers box).
Also make sure your server is not an open relay (mxtoolbox will help).

ASKER CERTIFIED SOLUTION
M A

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
SooHow Cheng

ASKER
Hi MAS,

Above patches already applied
SooHow Cheng

ASKER
Hi Seth,

The headers already checked, one from Zimbawee and other Netherlands.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
strivoli

I would check if your "Gfi MailEssentials" is updated too.
Robert

Aside from what was already said.
One thing I find that helps is to add a disclaimer in any emails that come from outside (helps the users notice that the email is not an internal message)
The setup is fairly easy
Just create a rule something like this:

SooHow Cheng

ASKER
Hi MAS,

I found out from my coworker that he actually patch after the incident happened.
Now, no more such a phishing mail sny more.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.