What is the HealthMailboxLUTF212 mailbox?

V

VasyaKerch2021-08-19 10:45:29

Mail server

VasyaKerch, 2021-08-19 10:45:29

Hello. In the evening (at about 22:00), while the administrators were sleeping, an account and a HealthMailboxLUTF212 mailbox were created directly on a single Exchange 2016 server under an account with domain administrator rights, and then exported to PST. There was nothing inside the box.

During the debriefing, it was found that the administrator was not working at that time, and the mailbox stood out strongly against the background of other system HealthMailboxes (you can see it on the screenshots). With all my paranoia, I suspect that this is some kind of inept disguise of human actions, but I don’t understand why this was done. Am I wrong or is this an intruder?

Here are the logs from the audit system:

Attribute Modified : User account control
Old Value : User is Disabled
New Value : Account enabled
Mailbox created with the following details :

Name: HealthMailboxLUTF212
Alias: HealthMailboxLUTF212
Mailbox type: User Mailbox
E-Mail addresses ( proxy addresses ): SMTP : [email protected] internal_domain
Storage group: Databases
Storage database: database
Organizational unit: internal_domain \Users

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

R

Roman Bezrukov, 2021-08-19
@VasyaKerch

Urgently take tests:
1. HealthChecker.ps1
2. Test-ProxyLogon.ps1
Additionally:
July 2021 Exchange Server Security Updates - there seem to be no more recent ones yet

M

msartaev, 2021-08-19
@msartaev

fiery fire!
I would be a little worried :)
probably still worth installing security updates