- Servers are sending time-delayed automatic replies to incoming mails with external links within the message text.
- ⚠️Something is going on with Qakbot which alters detection/threat landscape in past week⚠️
Seeing emails arrive from high quality companies with MS Exchange on prem, also via Proofpoint and MessageLabs.
This is causing emails to bypass usual email filtering for spam.
- I have F-Secure Email and Server Security installed on these server, whhy is not detecting the threat?
Qakbot leads to ransomware groups extremely often, so orgs should be on alert for suspect emails and security control misses.
It's unclear at this stage how Qakbot is being sent from SMTP servers like this, but it's going to cause problems.
Such threat can happen to unpatched Exchange with OWA to internet
Our advise is:
- Patch your server with the latest update ( both cumulative update (CU) and security update (SU))
- Reboot your Server
- Send a sample for the email itself for further investigation to F-Secure Labs (to verify if the sender is from the server itself) from the system.
- Generate additional AUTORUNS
Autoruns is a Microsoft application which can also be downloaded from
- Generate IIS logs
- Run a system and schedule scan using F-Secure Email and Server Sercurity
- Make sure you have configured F-Secure Email and Server Security, specifically you have given Internal domains and Internal SMTP senders as it states in admin guide 3.2.1 General settings
- Make sure URL scan is enabled for all three policy routes as shown in screenshot bellow:
- Make sure your Spam filter is enabled and score is set as advised in admin guide 3.2.3 Spam control More about Spam control and how it works can be found here.
- If you have latest F-Secure Email and Server Security 15.10, you can also perform a 4.5 Email storage scanning, please refer to admin guide for more help.
- If the issue still persists, collect Fsdiag and the rest of the logs and send it to F-Secure Customer Care by submitting a ticket.
- Submit on what application/program is sending these emails ( in case you have that info) and submit the URLs to F-Secure via Saas Service.
Article no: 000035497