We're running build 9518 and have been since a day or two after it was released.

Today I got a Windows Defender alert. It was for an exploit named Exploit:O97M/CVE-2017-11882.SA!MSR which appears to be for old Office versions. The expoit was found in the /SmarterMail/Service/MailService.exe.

I RDP'd into the server and found a dozen instances of Notepad standing open on the desktop. All of them are random filenames like rpcgqf_0.txt with one word "test" in the filename. They're all in the /Start Menu/Programs/Startup folder.

Ran a quick search on the machine and found dozens of similarly named .aspx files located in various system folders (/Windows, /Windows/System32, /Inetpub, etc.). The earliest dates are from back on Jan 9 so a couple weeks before the patch was released.

Am I cooked? Anyone else seen this? How did you handle?  I'm about to just burn this server down and setup a fresh SmarterMail instance on a new box