Runaway Exchange Server // Phished Account

You may find yourself supporting an exchange server without throttling, in the event that an account gets phished, that may launch a stream of emails as fast as the server has resources to put out. Some steps below that should remedy most of the situation. 

**As always, disclaimer, make sure you test everything and know exactly what commands you are running in powershell before running in production. These are sweeping deletion commands, want to be very careful.**

###in an exchange PS console session


###halt server operations

Stop-Service MSExchangeTransport -force

Suspend-Queue -Identity MAILSERVER.DOMAIN.NET\submission


###identify offending account and spam email subject

$recentemails = Get-MessageTrackingLog -Server MAILSERVER.DOMAIN.NET -Start (Get-Date).AddHours(-12) -EventID Submit –ResultSize Unlimited



$recentemails | Group-Object -Property Sender | Select-Object name,count | Where-Object {$_.name -notlike "*health*" -AND $_.name  notlike "*inboundproxy*" -AND $_.name -notlike "*probe*"} | sort count -desc | select -first 10 | ft -auto



###Top numbers should be relatively close with a real runaway account

$recentemails | Group-Object -Property MessageSubject | Select-Object name,count | sort count -desc | select -first 10 | ft -auto


###reset password of phished email account

###may need to do via ADUC if DC not currently setup for remote PS

$s = New-PSSession -ComputerName 


Import-PSSession -Session $s -CommandName Set-ADAccountPassword -AllowClobber

Set-ADAccountPassword -Identity PHISHEDACCOUNT -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "jnghfdjkndftoaskfgoiergfmlkmewhtunsdafg" -Force)


###clean spam message from server/local mbxs

Remove-Message -Server MAILSERVER -Filter {Subject -like "BOGUSMESSAGESUBJECT"} -WithNDR $false


Remove-Message -Server MAILSERVER -Filter {FromAddress -eq "PHISHED@EMAIL.edu"} -WithNDR $false


###clean out individuals mbx

Search-Mailbox -Identity "PHISHED@EMAIL.edu" -SearchQuery 'Subject:"BOGUSMESSAGESUBJECT"' -DeleteContent

Search-Mailbox -Identity "PHISHED@EMAIL.edu"-SearchDumpsterOnly -SearchQuery


'Subject:"BOGUSMESSAGESUBJECT"' -DeleteContent


###restart operations of server

Resume-Queue -Identity MAILSERVER.DOMAIN.NET\submission

Start-Service MSExchangeTransport


###let helpdesk know user needs PW reset and they can recover possible missing items from deleted items folder depending on how malicious the phish is 

###check mailserver IP for potential spam blacklisting

For more information on “Phishing Scams”, please refer to the following:

Please be advised about a type of fraud called "phishing." The term "phishing" - as in fishing for confidential information - refers to a scam that encompasses fraudulently obtaining and using an individual's personal or financial information. This is how it works:

·         A user receives an e-mail which appears to originate from a financial institution, government agency, or other well-known/reputable entity.

·         The message describes an urgent reason you must "verify" or "re-submit" personal or confidential information by clicking on a link embedded in the message.

·         The provided link appears to be the web site of the financial institution, government agency or other well-known/reputable entity, but in "phishing" scams, the web site belongs to the fraudster/scammer.

·         Once inside the fraudulent web site, the user may be asked to provide Social Security numbers, account numbers, passwords or other information used to identify the consumer, such as the maiden name of the consumer's mother or the consumer's place of birth.

·         When the consumer provides the information, those perpetrating the fraud can begin to access consumer accounts or assume the person's identity.

Criminals will use the names and reputations of high profile corporations to perpetrate various "phishing" schemes. It is important to note that reputable institutions will never ask for personal or confidential information in this manner. 


This post is locked
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ