.

Exchange intrusion

<<

tomovboyan

Newbie
Newbie

Posts: 1

Joined: Thu Oct 15, 2009 2:52 am

Post Thu Oct 15, 2009 4:10 am

Exchange intrusion

Hello,
I'm new in this forum, so i'm sorry if I didn't post my topic right.

So here is the thing. I'm using an Exchange Mail server 2007 with around 100 accounts. Yesterday a couple of accounts recieve the same message from a different internal user, THAT DOES NOT EXIST, telling them to download a patch file from this site:

http://updates.COMPANYNAME.com.secure.c ... 04536.aspx

where the COMPANYNAME is my Domain!!!

I checked the log file of the Exchange server, but there is nothing about threat.

Please Help. How the .... is this thing manage to enter? How can I prevent for future attacks? ??? ???
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu Oct 15, 2009 5:33 am

Re: Exchange intrusion

Welcome to the forums. 

It is likely that the message received was forged to look like it was an internal message.  Check the headers of the message, does it appear to actually come from the inside, or is there a history of traveling through various SMTP hops in the headers? 

It is is also likely that the link provided in the email, does not actually go to any resource internal to your domain.  It looks like a phishing email and a dangerous one. 

If this email did not originate from the inside, as I suspect, you can invest in a solid Anti-Spam product that should stop mail with forged headers from coming through. 

Good luck!
~~~~~~~~~~~~~~
Ketchup
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Thu Oct 15, 2009 5:53 am

Re: Exchange intrusion

Agree with ketchup... implement some spam-blocking software and, or if you already have some in place, set it to deny inbound email from your domain name. All of your internal->internal email should remain within your internal environment, there should never be a point where email "from" your domain is coming in from the outside (unless of course you were outsourcing email services).
<<

Dengar13

User avatar

Sr. Member
Sr. Member

Posts: 380

Joined: Tue Sep 20, 2005 8:43 am

Location: The Steel City

Post Thu Oct 15, 2009 7:31 am

Re: Exchange intrusion

And be sure to send an email to all of your users indicating that they should not follow the link and educate them that it was a phishing attack.  All it takes is for one user to fall victim...

Welcome to the forum by the way.
A+, Net+, MCP, CEH
MCSE: Security/Messaging
MCSA: Security/Messaging
Former U.S. Marine and damn proud of it!
<<

impelse

Hero Member
Hero Member

Posts: 585

Joined: Mon Feb 16, 2009 3:40 pm

Post Thu Oct 15, 2009 8:38 am

Re: Exchange intrusion

Jajajajaajaj, I sent an email to my user, PLEASE DO NOT CLICK THE LINK, and some of them they did, so we have to sent a second email with more information.

Yep, we are getting those kind of emails
CCNA, Security+, 70-290, 70-291
CCNA Security
Taking Hackingdojo training

Website: http://blog.thehost1.com/
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Sat Oct 17, 2009 11:58 am

Re: Exchange intrusion

As an aside...

I know a guy whose company did a phishing exercise. The goal was to see how many people clicked on the link and then educate everyone about phishing.

After the exercise they sent a follow up email telling users what to look for and that they should not have clicked the link in the original email. The original email was at the bottom of the new email.

The result? More people clicked on the at the bottom of the second email than the original email.

There is no patch for...
twitter.com/timmedin | http://blog.securitywhole.com
<<

impelse

Hero Member
Hero Member

Posts: 585

Joined: Mon Feb 16, 2009 3:40 pm

Post Sat Oct 17, 2009 12:03 pm

Re: Exchange intrusion

I read in Eweek magazine about a web site that offers a service how to sent phising email and report you how many user click in the link and how many time and give you a grade about that person, you can beging to re-train the users, but some of them they do not want to be carefull
CCNA, Security+, 70-290, 70-291
CCNA Security
Taking Hackingdojo training

Website: http://blog.thehost1.com/
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Sun Oct 18, 2009 1:27 am

Re: Exchange intrusion

Funny you should mention it, because I recently commented on the eWeek article in this thread by our friends who are responsible for SocialPET:

http://www.ethicalhacker.net/component/ ... .msg23036/

Good stuff by good people!

Don
CISSP, MCSE, CSTA, Security+ SME

Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software