###in an exchange PS console session
###halt server operations
Stop-Service MSExchangeTransport -force
Suspend-Queue -Identity MAILSERVER.DOMAIN.NET\submission
###identify offending account and spam email subject
$recentemails = Get-MessageTrackingLog -Server MAILSERVER.DOMAIN.NET -Start (Get-Date).AddHours(-12) -EventID Submit –ResultSize Unlimited
###PhishedEmail
$recentemails | Group-Object -Property Sender | Select-Object name,count | Where-Object {$_.name -notlike "*health*" -AND $_.name notlike "*inboundproxy*" -AND $_.name -notlike "*probe*"} | sort count -desc | select -first 10 | ft -auto
###BogusMessage
###Top numbers should be relatively close with a real runaway account
$recentemails | Group-Object -Property MessageSubject | Select-Object name,count | sort count -desc | select -first 10 | ft -auto
###reset password of phished email account
###may need to do via ADUC if DC not currently setup for remote PS
$s = New-PSSession -ComputerName
DOMAINCONTROLLER.DOMAIN.NETImport-PSSession -Session $s -CommandName Set-ADAccountPassword -AllowClobber
Set-ADAccountPassword -Identity PHISHEDACCOUNT -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "jnghfdjkndftoaskfgoiergfmlkmewhtunsdafg" -Force)
###clean spam message from server/local mbxs
Remove-Message -Server MAILSERVER -Filter {Subject -like "BOGUSMESSAGESUBJECT"} -WithNDR $false
And
Remove-Message -Server MAILSERVER -Filter {FromAddress -eq "PHISHED@EMAIL.edu"} -WithNDR $false
###clean out individuals mbx
Search-Mailbox -Identity "PHISHED@EMAIL.edu" -SearchQuery 'Subject:"BOGUSMESSAGESUBJECT"' -DeleteContent
Search-Mailbox -Identity "PHISHED@EMAIL.edu"-SearchDumpsterOnly -SearchQuery
'Subject:"BOGUSMESSAGESUBJECT"' -DeleteContent
###restart operations of server
Resume-Queue -Identity MAILSERVER.DOMAIN.NET\submission
Start-Service MSExchangeTransport
###let helpdesk know user needs PW reset and they can recover possible missing items from deleted items folder depending on how malicious the phish is
###check mailserver IP for potential spam blacklisting
For more information on “Phishing Scams”, please refer to the following:
Please be advised about a type of fraud called "phishing." The term "phishing" - as in fishing for confidential information - refers to a scam that encompasses fraudulently obtaining and using an individual's personal or financial information. This is how it works:
· A user receives an e-mail which appears to originate from a financial institution, government agency, or other well-known/reputable entity.
· The message describes an urgent reason you must "verify" or "re-submit" personal or confidential information by clicking on a link embedded in the message.
· The provided link appears to be the web site of the financial institution, government agency or other well-known/reputable entity, but in "phishing" scams, the web site belongs to the fraudster/scammer.
· Once inside the fraudulent web site, the user may be asked to provide Social Security numbers, account numbers, passwords or other information used to identify the consumer, such as the maiden name of the consumer's mother or the consumer's place of birth.
· When the consumer provides the information, those perpetrating the fraud can begin to access consumer accounts or assume the person's identity.
Criminals will use the names and reputations of high profile corporations to perpetrate various "phishing" schemes. It is important to note that reputable institutions will never ask for personal or confidential information in this manner.
Comments