We have our system setup so voicemails are sent to the person email. About 2 weeks ago we had an employee click on voicemail attachment which happened to be the cryptolocker virus. Unfortunately for us their MS Endpoint Protection was turned off and before we could stop it, it had encrypted their files. We were able to get the MS Endpoint turned back on and remove the virus from the machine. For the files we just did a restore from a few days earlier. What we did see after their machine was infected is that it tried to email itself out to others. The weird thing is none of the emails sent was showing in their outlook client in sent mail. To be safe we decided to completely re-image the machine to make sure we removed any instance of the virus. Over the next few days we notice that between 7am-8am when employees were logging in that several different machines were sending spam emails out. We had one machine send out over 10,000 emails in just 10 minutes. Of course our IP address was put on the block list and we could not email anyone outside of the company. We have scanned every machine that was said to sending these emails out and found nothing on the machines. We used MS endpoint, Malware bytes, RSkiller, Combofix and Norton easer but nothing was found. Now each day around that same time when employees are first logging in different machines are trying to send out spam emails. We have set things up to block these messages but we can not track down how these message are being sent. We believe it is a rogue email agent running somewhere on the network but we are not able to pin down which machine it is running from. Just this morning I had a list of @10 different machines trying to send out these spam emails. I have scanned all the machines and nothing has been found.
We have found that whatever is sending these emails out is not using the local outlook client or our exchange server to send the emails. It seems to have its own built in client/server that it runs from a machine.
Is there a tool that I could run that will find a rogue email agent? Any help would be appreciated as this has been going on now for @5-6 days.