Exchange 2013 CU12 in hybrid mode with Office 365 and using EOP.I receive several of these events daily in the exchange servers event logs. they all have random 5 or 6 character domain names ending in .us
Like:
aqdame.us
aufdo.us
azweus.us
eikur.us
ekuem.us
ezsaex.us
iuroqe.us
iyeebo.us
koinqe.us
ociof.us
oowkeu.us
teeqca.us
ubkuth.us
uccezz.us
unleac.us
vafabi.us
wpakiz.us
wuuwl.us
xoseiv.us
ihoten.us
ousqez.us
paubug.us
peuxoi.us
gerdel.us
usiikl.us
kaofog.us
yojwif.us
the rest of the event looks like this:
Transport engine failed to evaluate condition due to Filtering Service error. The rule is configured to ignore errors. Details: 'Organization: '' Message ID '<0.0.0.8D.1D1963D56A28882.172B09@kpafog.us>' Rule ID '1f84f16b-d702-4afd-9b25-0b3372cfb166' Predicate '' Action ''. FilteringServiceFailureException Error: Microsoft.Exchange.MessagingPolicies.Rules.FilteringServiceFailureException: FIPS text extraction failed with error: 'MIME content error: Cannot decode content stream because unrecognized content transfer encoding was used to encode it.'. See inner exception for details ---> Microsoft.Exchange.Data.Mime.MimeException: MIME content error: Cannot decode content stream because unrecognized content transfer encoding was used to encode it. at Microsoft.Exchange.Data.Mime.MimePart.GetContentReadStream() at Microsoft.Exchange.UnifiedContent.Exchange.EmailMessageSerializer.SerializeMimeDocument(UnifiedContentSerializer serializer, EmailMessage email, HashSet`1 serializedMimeParts) at Microsoft.Exchange.UnifiedContent.Exchange.EmailMessageSerializer.Serialize(EmailMessage message, UnifiedContentSerializer serializer, Boolean bypassTextTruncation) at Microsoft.Filtering.FipsDataStreamFilteringRequest.ToFilteringRequest(Boolean bypassBodyTextTruncation) at Microsoft.Exchange.MessagingPolicies.Rules.FipsFilteringServiceInvoker.CreateFipsRequest(ScanConfiguration config, FilteringServiceInvokerRequest filteringServiceInvokerRequest) at Microsoft.Exchange.MessagingPolicies.Rules.UnifiedContentServiceInvoker.BeginTextExtraction(FilteringServiceInvokerRequest filteringServiceInvokerRequest, TextExtractionCompleteCallback textExtractionCompleteCallback) --- End of inner exception stack trace --- at Microsoft.Exchange.MessagingPolicies.Rules.UnifiedContentServiceInvoker.GetUnifiedContentResults(FilteringServiceInvokerRequest filteringServiceInvokerRequest) at Microsoft.Exchange.MessagingPolicies.Rules.MailMessage.get_BodyContent() at Microsoft.Exchange.MessagingPolicies.Rules.MessageBodies.Microsoft.Exchange.MessagingPolicies.Rules.IContent.Matches(MultiMatcher matcher, RulesEvaluationContext context) at Microsoft.Exchange.MessagingPolicies.Rules.TextMatchingPredicate.Evaluate(RulesEvaluationContext context) at Microsoft.Exchange.MessagingPolicies.Rules.OrCondition.Evaluate(RulesEvaluationContext context) at Microsoft.Exchange.MessagingPolicies.Rules.AndCondition.Evaluate(RulesEvaluationContext context) at Microsoft.Exchange.MessagingPolicies.Rules.RulesEvaluator.EvaluateCondition(Condition condition, RulesEvaluationContext evaluationContext) at Microsoft.Exchange.MessagingPolicies.Rules.TransportRulesEvaluator.EvaluateCondition(Condition condition, RulesEvaluationContext evaluationContext). Message-Id:<0.0.0.8D.1D1963D56A28882.172B09@kpafog.us>'
I suspect it is a type of spam/malware that EOP is not catching and FIPS cannot process either.
I have tried to filter these out with a rule but no success yet.
Any help would be grateful.