EH-Net

hi,
 i am facing issue of hack in my network. one of the user's PST got hacked and Hacker is sending mails of same pst attached through GMail to his official ID . We blocked specific email ID but still the hacker is sending such mails.
we are unable to trace the hacker. Gone thru Event ID's but no any track been traced.
what is the way out to trace the hacker?

thanks in advance

Set up a network IDS like Snort and wait for the malicious / illegal traffic to occur.

When it occurs, save it and follow the "stream" to see what happens but also where it comes from.

That's probably the easiest way.

What do you mean by "user's PST got hacked?"   PST files really don't have much in terms of security, all you have to do is open it.   The password protection feature is very rudimentary and can easily be defeated.   Are you sure these emails aren't coming from outside and aren't something like NDR bombs?

While I have no idea what a NDR bomb is, I was going to ask the same question. I would assume the users computer was infected, possibly with a trojan horse... Now that I think about it, even that isnt required. A hacker could create a malicious file with the PST extension. That doesnt require any penetration of your network, just knowledge of valid usernames. Although I assume someone has opened the file win which case we are back to trojan.

There's a million and one ways to spoof an email address to look like it's coming from one server or one user. I don't understand how a PST file can be "hacked" so that it's sending email. To my understanding the PST file is just a file that holds the user's email data, calendar, inbox, etc. When you speak of the "hacker" sending this PST file out I picture in my mind a large attachment, not spoofing.

It might not be coming from the user's computer but instead the email server. Or maybe it's just being spoofed.