This is using MS Exchange server 2019 onprem. Last 3 days, few users reported that they were sending emails to the inside users that in actual fact they didn't. The similarity found on these emails are, there are 2 "links" that look like these,
Good day! I send here a recordwith a thorough explanation of the recent accident. Please examine it here:
Please login Zoom with the following on Monday (4 May) 9.20am
Meeting ID: 999 999 9999
Could these be the recent exploit by so called ProxyShell especially for those exchange server not patched with october patches? However, the upon server is already patched with October. One more thing is, Gfi MailEssentials are deployed but could this help?