pixel_dreams - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

Arm yourself for battle against an email virus outbreak

Did malware slip through the Exchange Server perimeter? Don't panic. Use these PowerShell commands to respond quickly and minimize the damage.

The onslaught of ransomware and devious social engineering efforts means it's only a matter of time before your...

organization is hit with a major email virus outbreak.

Administrators should prepare on-premises Exchange -- and themselves -- to quickly stem the bleeding when that malware lands in a user's inbox. And while the techniques to protect on-premises Exchange Server aren't new, they are important steps to reduce the effects of an attack. Even if the antivirus scanner fails to detect the threat, there are ways to isolate affected mailboxes, slow the proliferation and even stop the spread of a virus. Have procedures, processes and scripts in place to fight off an email virus outbreak before trouble starts.

Study the risk chart

Every antivirus tool is different, so the risk chart in Figure 1 doesn't include all the steps to take during an email virus outbreak. But it shows what to do within Exchange if the antivirus software or SMTP gateway cannot stop the threat. Armed with this plan, administrators have a clear course of action to help the system weather an attack.

Risk chart
Figure 1: This chart explains what action an administrator should perform based on the impact of the threat to the Exchange Server.

The risk chart also indicates the appropriate response based on the severity and distribution of the threat. For example, a widespread distribution of the destructive Locky ransomware warrants a far greater response than when the Tinba malware hits a single mailbox. Use this chart as a baseline to assemble a threat-response plan.

Clean the mailbox

If an outbreak gets beyond the gateway and desktop virus scanners, use the Exchange Management Shell to quickly run a script that will search-and-destroy the offending email from the mailbox. This will limit the damage.

With Exchange 2016, use the Search-Mailbox command with the –deletecontent switch. Be sure the administrative account has the Mailbox Import Export management role. Here is the example of the syntax:

search-mailbox "Bryant, Steve" -searchquery 'Get rich now!!!' -deletecontent

This command looks at the body of all messages in the mailbox for the string "Get rich now!!!" and purges those items from mailboxes. If an outbreak strikes, modify the command to search for specific phrases in the offending email and delete them. Be careful: This command will wipe results permanently. Administrators can execute this in a reporting mode as a test before using the purge script:

search-mailbox "Bryant, Steve" -searchquery '"Get rich now!!!"' -EstimateResultOnly

For large mailboxes or multiple mailboxes, the New-MailboxSearch command is an option because Search-Mailbox can only check one mailbox at a time. But there will be some differences in how this method removes data compared to other methods. More details about the New-MailboxSearch command are available here.

Scour email from multiple mailboxes

To search multiple mailboxes, admins can either scan them all or specify mailboxes with an input file. A search through all mailboxes is the easiest way to track down infected messages, but it also could be the slowest way to clean a mailbox, depending on how many mailboxes exist.

An organization with fewer than 1,000 mailboxes could use this command for fast results:

Get-mailbox –resultsizeunlimited | search-mailbox -searchquery '"Get rich now!!!"' -deletecontent

Use wildcards and filters to scan certain mailboxes. For example, use the following code to scan all users from a specific mailbox database:

Get-mailbox –database MBDB01 –resultsizeunlimited | search-mailbox -searchquery '"Get rich now!!!"' -deletecontent

Alternatively, this string will clean all mailboxes -- one server at a time:

Get-mailbox –server MBSERVER01 –resultsizeunlimited | search-mailbox -searchquery '"Get rich now!!!"' -deletecontent

As with the single search, use the –EstimateResultOnly switch to ensure the script works as intended.

Another way to search specific mailboxes is to use an input file:

$InputFile = get-content "C:\affectedusers.txt"

foreach ($line in $Inputfile)         {search-mailbox $line -searchquery '"Get rich now!!!"' -deletecontent}

Isolate the mailbox

If the IT staff cannot clean a mailbox fast enough to contain the virus, then it's best to isolate that mailbox. Exchange 2016 can quarantine a mailbox if it senses the mailbox has destabilized the database. This function makes the mailbox unavailable. Here is an example of a quarantine setting with a length of 60 minutes:

Enable-MailboxQuarantine "Bryant, Steve" -Duration 00.00:60:00

The previous command without the –Duration switch keeps the mailbox in quarantine until another command returns the mailbox to service:

Disable-MailboxQuarantine "Bryant, Steve"

With quarantine, the mailbox is offline but cannot be cleaned. No one can access it.  

To allow mail delivery to the mailbox -- but make it inaccessible to users -- use the following command to restrict client access. The user cannot connect to the mailbox, but the administrator can clean it with PowerShell.

Set-CASMailbox "Bryant, Steve" -ActiveSyncEnabled $false -ImapEnabled $false -EwsEnabled $false -MAPIEnabled $false -OWAEnabled $false -PopEnabled $false -OWAforDevicesEnabled $false

Use wildcards to isolate multiple mailboxes at a time. To re-enable access, use the same script with $true:

Set-CASMailbox "Bryant, Steve" -ActiveSyncEnabled $true -ImapEnabled $true -EwsEnabled $true -MAPIEnabled $true -OWAEnabled $true -PopEnabled $true -OWAforDevicesEnabled $true

Slow the arrival of mail

If the outbreak continues to affect users and slows the system, adjust the influx of mail to reduce the invasion. Throttle the inbound SMTP connector to alleviate server strain and still permit functions to run.

The first step is to identify inbound internet connectors. For this example, we have a separate IP bound to each server. The names are consistent and start with Internet Receive Connector Server; we can run a script and set the details for those connectors. The default setting for the tarpitinterval parameter puts the SMTP response on a five-second delay.

get-receiveconnector | Where-Object {$_.identity -like "*internet*"} | select name, MaxInboundConnectionPerSource, tarpitinterval

Inbound internet connectors
Identify the inbound internet connectors.


Other settings will regulate email, but start with these. The idea is to ease the arrival of inbound messages and give IT more time to clean and isolate -- without crippling connectivity.

This command reduces the number of connections per source from 20 to 5, and increases the tarpit interval from five seconds to 30 seconds:

get-receiveconnector | Where-Object {$_.identity -like "*internet*"} | set-receiveconnector -MaxInboundConnectionPerSource 5 –tarpitinterval 00:00:30

The command enables inbound mail to flow, but limits how many messages a single internet host can send at one time. Adjust these numbers as needed, but do not forget to put the settings back to defaults when the crisis is over.

If you haven't created specific receive connectors for internet traffic, use the command below to work with "default" receive connectors. This also slows server-to-server traffic within the environment.

get-receiveconnector | Where-Object {$_.identity -like "*default*"} | set-receiveconnector -MaxInboundConnectionPerSource 5 –tarpitinterval 00:00:30

Stop mail from the attack source

If the severity or scope of the attack is severe enough, an administrator can stop all inbound internet traffic. For this, disable internet connectors. In this case, the environment has specific connectors for inbound internet traffic, which facilitates throttling and mail restrictions.

get-receiveconnector | Where-Object {$_.identity -like "*internet*"} | set-receiveconnector –Enabled $False

If your Exchange configuration doesn't have named connectors for internet connectivity, you'll need to find another way to disable inbound SMTP traffic at the firewall or gateway.

Slow all inbound mail

If the email virus outbreak uses the Exchange system to spread the infection, slow all receive connectors to give the staff more time to clean. This command sets the default receive connectors on all servers to hold back connections from all sources, including server-to-server transport:

get-receiveconnector | set-receiveconnector -MaxInboundConnectionPerSource 5 –tarpitinterval 00:00:30

This will slow mail delivery and allow SMTP queues to grow. Watch the queue drive closely and change the MaxInboundConnectionPerSource and tarpitinterval settings to adjust the speed until mail flow reaches a manageable rate.

Stop all inbound mail

In very drastic cases, stop all inbound mail flow to give IT time to clean mailboxes or prepare for a recovery scenario. Use this command to take that step:

get-receiveconnector | set-receiveconnector –Enabled $False

Isolate affected servers

In some situations, a specific site or server could experience an outbreak that's worse than any other segment within the organization. Use this command to isolate a server, stop its transport service and halt all mail transfers:

Get-Service -Name MSExchangeTransport -ComputerName SERVERA | Stop-service

After the repairs, restart the service with Start-Service with this command:

Get-Service -Name MSExchangeTransport -ComputerName SERVERA | Start-service

Prepare for restoration

In some cases, an IT team won't be able to clean the email virus outbreak completely because of time constraints or the amount of damage that Exchange data received. In these circumstances, the only solution might be to restore data from a backup.

Next Steps

Pinpoint security risks to lock down Exchange

Which email security gateways are the best?

How to impede ransomware

Dig Deeper on Exchange Server setup and troubleshooting