V
V
VasyaKerch2021-08-19 10:45:29
Mail server
VasyaKerch, 2021-08-19 10:45:29

What is the HealthMailboxLUTF212 mailbox?

Hello. In the evening (at about 22:00), while the administrators were sleeping, an account and a HealthMailboxLUTF212 mailbox were created directly on a single Exchange 2016 server under an account with domain administrator rights, and then exported to PST. There was nothing inside the box.

During the debriefing, it was found that the administrator was not working at that time, and the mailbox stood out strongly against the background of other system HealthMailboxes (you can see it on the screenshots). With all my paranoia, I suspect that this is some kind of inept disguise of human actions, but I don’t understand why this was done. Am I wrong or is this an intruder?

Here are the logs from the audit system:

  1. Attribute Modified : User account control
    Old Value : User is Disabled
    New Value : Account enabled

  2. Mailbox created with the following details :

    Name: HealthMailboxLUTF212
    Alias: HealthMailboxLUTF212
    Mailbox type: User Mailbox
    E-Mail addresses ( proxy addresses ): SMTP : [email protected] internal_domain
    Storage group: Databases
    Storage database: database
    Organizational unit: internal_domain \Users


611e0b3611e2a652834074.png
611e0b3b63459169091809.png

Answer the question

In order to leave comments, you need to log in

2 answer(s)
R
Roman Bezrukov, 2021-08-19
@VasyaKerch

Urgently take tests:
1. HealthChecker.ps1
2. Test-ProxyLogon.ps1
Additionally:
July 2021 Exchange Server Security Updates - there seem to be no more recent ones yet

M
msartaev, 2021-08-19
@msartaev

fiery fire!
I would be a little worried :)
probably still worth installing security updates

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question