In the previous article, we saw how the attackers had been monitoring and manipulating the MINAF CEO’s email at will … and that they had done it through OWA (Outlook Web Access), the Exchange webmail.

To know how these logs work, we have to see how Exchange works. If we simplify it a lot, Exchange has two main components: CAS (Client Access Server) and DAG (Database Availability Group), which would be roughly equivalent to a web server and the database of a web application.

In the previous article we verified that a series of emails had been sent from the MINAF CEO’s account to the CFO, and through social engineering a series of unauthorized transfers had been made. We are at a point in the investigation where we want to know more about those emails, and for this we have to go to the low-level database of Exchange: EventHistoryDB.

EventHistoryDB is a database that collects with minute detail the entire life cycle of an email in Exchange. Thanks to EventHistoryDB we can know such granular details as:

• When an email was written.
• When it was sent.
• Whether or not it was read by the recipient, and when.
• If the mail was moved to a folder.
• If the email was answered.
• If the mail was sent to the trash, or even if it was deleted from it.

Unfortunately, not everything is perfect in the EventHistoryDB. It is only accessible via Powershell (no nice graphical interfaces), and only the last 7 days are saved by default. However, in this case the MINAF has reacted very quickly and this has allowed us to enter comfortably within that time frame, so it is possible to fully recover the records for the two affected users.

We left the previous article with many gaps in the mail coverage from both the CEO and CFO of the MINAF. A first (and above all) quick solution is to use the MessageTracking logs. As we have already mentioned, MessageTracking is a high-level Exchange log that provides us with some basic data about the message (origin, destination, date and subject) along with some low-level identifiers (of which we will tell something in due course since they will be fundamental in our investigation).

To give you an idea, this is what a MessageTracking log (that we have minimally adapted) looks like:

If we open the log and take a quick look at it, we find a wave of messages (about 1000) quite worrisome:

Apparently someone ordered the remote deletion of Abelardo Alcázar’s mobile device, something that can be done from Exchange if the terminal is configured correctly (very useful in case of theft or loss, since we do not require a remote management solution for mobile terminals or MDM).

This log agrees with Abelardo Alcazar’s statement, coinciding with the dates (remember that in Spain in summer we are at UTC + 2, so 18.47h UTC becomes 20.47h Spanish time).