0

Recently, multiple employees have come to me saying that their exchange accounts were breached over the time span of a few days. I have a theory that there is some form of worm on one of the computers within the domain that is periodically sending out spam/phishing links to customers and contractors. I have tried multiple AV scanners on all of the computers but they're all turning up empty.

The main point of this question: I need to find out where a user login is originating so I can begin to fix the problem. How can I find out where a user login originates and at what time that login occurred so that it can be cross-referenced with some rejected spam emails that were returned to us.

  • Exchange 2016 CU9 v15.1
  • Windows Server 2016 v1607
Stillkill
  • 3
  • 2
  • Hi, It's been a while, is there update? If your problem has been fixed, you could mark the best answer or share the solutions to finish this thread. – Ivan_Wang Nov 19 '21 at 01:58

1 Answers1

0

You could navigate to the following location which stores the IIS log:

%SystemDrive%\inetpub\logs\LogFiles\W3SVC1

The IIS log includes the access request info(e.g. IP address, username, services, port) from ECP, OWA, ActiveSync, Mapi etc.

The info in the IIS log is like the following:

enter image description here

Maybe the IIS log can help you find the culprit.

Besides, based on your description, the version of your Exchange server is not the latest, you'd better install the latest CU/SU versions of Exchange. Normally the latest CU/SU includes the fixes for nonsecurity issues and all previously released fixes for security and nonsecurity issues: CU22 for Exchange 2016

Recently, there are several vulnerabilities found in Exchange 2013/2016/2019, one of vulnerabilities is related with spoofing:

Ivan_Wang
  • 1,333
  • 1
  • 4
  • 4