locked
Outlook Spam Issue - Account Compromise RRS feed

  • Question

  • Hi all

    A bit of help on this one if anyonce can, Outlook account (on exchange) seems to have been compromised, however in an automated spam kind of way, a rule is set up on the account to move items from inbox to deleted items, email is sent from the account to other accounts including itself.

    An email was recieved into one account with a scam weblink, a user did submit their details however does not result in manual activity more automated.

    Any ideas.

    Luke

    Monday, September 26, 2016 1:12 PM

Answers

  • Hi,

    I noticed you said the operation stopped after changing the account password. It may mean that someone might be using your account to access your personal info or execute the above actions.

    To get some useful clues, I suggest you use the following command to enable Mailbox Audit Logging for the Mailbox:

    Set-Mailbox -Identity "user" -AuditEnabled $true

    Audit log entries also include important information such as the client IP address, host name, and process or client used to access the mailbox.

    We can refer to the link below to get more information about Mailbox Audit Loggin:

    https://technet.microsoft.com/en-us/library/ff459237(v=exchg.141).aspx

    Regards,


    David Wang
    TechNet Community Support


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by David Wang_ Monday, October 10, 2016 1:49 AM
    • Marked as answer by David Wang_ Tuesday, October 11, 2016 6:25 AM
    • Unmarked as answer by Luke122to4 Tuesday, October 11, 2016 6:15 PM
    • Marked as answer by Luke122to4 Tuesday, October 11, 2016 6:16 PM
    Sunday, October 2, 2016 1:21 PM

All replies

  • Hi,

    "however in an automated spam kind of way, a rule is set up on the account to move items from inbox to deleted items, email is sent from the account to other accounts including itself."

    Sorry, I can't understand your words, can you please provide more details?

    I will ask some related questions for further analysis.

    Are you using Junk Email Filter on outlook?

    How do you set Junk email filter?

    Does the issue occur on one user?

    About your issue, if you are using junk email filter, please refer to make the filter more aggressive by changing the level of protection that it provides. 

    Also refer to the following link to know more information about account Compromise:

    https://support.microsoft.com/en-us/help/10494/microsoft-account-get-back-compromised-account

    Regards,


    David Wang
    TechNet Community Support


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.




    • Edited by David Wang_ Wednesday, September 28, 2016 8:03 AM
    Tuesday, September 27, 2016 5:18 AM
  • Hi David

    We have a report in the organisation that email is being sent from an employees mail account, however they have not sent the mail and a rule is set up on the account to move items from the inbox to Deleted Items.

    This is quite a common occurrence. I'm pretty sure that it is malware orientated however however I'm trying to understand more how it occurs, it doesnt seem to be 'someone' i.e. a person using the credentials to gain access and manually add rules, delete emails or even send malicious email, it seems to follow a more automated process, i'm trying to find out how (if it is an infection) it propogates to exploiting the mail.



    Tuesday, September 27, 2016 7:41 AM
  • Does the spam-sending/mail-moving operation continue after changing that account's password?

    Do you have a retention policy on your exchange server (or in Outlook)?

    Tuesday, September 27, 2016 3:09 PM
  • Hi Alceryes

    Once the account password has been changed the operation stops, I believe once it starts to happen we set the retention to 0

    Tuesday, September 27, 2016 5:10 PM
  • Hi,

    I noticed you said the operation stopped after changing the account password. It may mean that someone might be using your account to access your personal info or execute the above actions.

    To get some useful clues, I suggest you use the following command to enable Mailbox Audit Logging for the Mailbox:

    Set-Mailbox -Identity "user" -AuditEnabled $true

    Audit log entries also include important information such as the client IP address, host name, and process or client used to access the mailbox.

    We can refer to the link below to get more information about Mailbox Audit Loggin:

    https://technet.microsoft.com/en-us/library/ff459237(v=exchg.141).aspx

    Regards,


    David Wang
    TechNet Community Support


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by David Wang_ Monday, October 10, 2016 1:49 AM
    • Marked as answer by David Wang_ Tuesday, October 11, 2016 6:25 AM
    • Unmarked as answer by Luke122to4 Tuesday, October 11, 2016 6:15 PM
    • Marked as answer by Luke122to4 Tuesday, October 11, 2016 6:16 PM
    Sunday, October 2, 2016 1:21 PM