Scan the entire filesystem for malicious files.

One of the early vulnerabilities was unauthenticated file uploads and a path traversal vulnerability which allowed files to land outside of the SmarterMail folders.

Also need to check OS level task scheduler for nothing nefarious, auto-runs, the whole nine yards.

Thank you for the suggestion J. LaDow, we do have antivirus running on that server, but for good measure I went ahead and scanned the entire server again, nothing suspicious found.

I went ahead and checked autoruns from systernals, nothing suspicious I can see there either. Taskscheduler was clean as well. I think I am in good shape and will keep an eye on things. We are running 9518 already. I saw there was another release but I need to schedule downtime for that.

It sounds like you might be in the clear -- 

My recent personal experience is you need to dig deep in your anti-virus tools to verify nothing bad has happened or is happening. My a/v caught the bad actor, noted the attack, and listed it as Low Priority, and let it proceed. It didn't even make it to the central dashboard of the product. Yet I am looking at a smoking crater...

I can't say anything more than that.

You can also search your log "Administrative" Log for the string "User @ successfully force-reset-password" going back to 1/12/2025 before the proof of concept (PoC) was released. If you find that then you really should wipe and redo the server IMHO. I just saw two more "User @ failed force-reset-password" TODAY BTW! 

I use VMs, so rebuilding everything was a bit of work, but the peace of mind was worth it. Some researchers estimate that between 6,000 and 8,000 servers are still vulnerable. I was running Sophos, and it clearly caught some things but wasn’t sufficient. Now I’m trying to determine whether a more advanced version of Sophos would have made a difference. Someone had posted: