This past Tuesday after hours, my company was the victim of an OWA exploit that caused our domain to get blacklisted due to sending out millions of spams. I was at a loss to explain how that could occur, I had traced down the user source and through message tracking logs and IIS logs, and proxy logs, determined the source was a specific user and OWA.
This website describes the exploit exactly. To a T. http://blog.spiderlabs.com/2013/09/hey-can-i-use-your-server-for-spamming.html
The user's account was compromised through a phishing email (which got through the spam filter), and the user was dumb enough to fill out the form.
But that being said, the mechanism the hacker/spammer used to do automated spam via OWA by scripting uploading email to the users drafts and sent items, I would like to hope that MS is looking at patching that so there is no possibility of an exploit. I was fully patched with Exchange 2007 SP3 with the latest Update Rollup (12).
This was a huge black eye on us.