What we use: Exchange 2007, Windows 7 Enterprise, Outlook 2010

We were hit by spammers who then managed to compromise a couple of accounts. They then started sending spam from these accounts, as they usually do. All this is part of the usual day to day but what has us all confused is this. The emails have no addresses in the To, CC or BCC fields.

On checking the sent messages, we found an additional field containing 900+ email addresses, this was labeled as hidden.

My question is, has anyone else seen this and if so how have you dealt with it?

Without knowing where you are looking at or obtained the logs from, it is hard to say what is going on without making wild guesses.

Either way, this doesn't sound like a simple spamming incident to me when they've gained access to accounts. This means you have an actual hack going on or your users aren't using very secure passwords. If that is usual day to day to you, I'd start with beefing up security and force a company wide password reset (with increased difficulty requirements) as this most definitely shouldn't be a day to day practice.

Let me clarify the initial comment.

The spam/hacking attempts are day to day, the issue being seen here is NOT day to day, it is a new issue seen this week.

The question of security is valid, however we do use complex passwords (enforced by AD) and we have found the users compromised have been rather foolish and clicked a link on a spam email then entered their account credentials which is how the spammers gained access.

The question here is still the same though, how can these emails be sent to over 900 addresses when there is nothing in the To, CC or BCC field? Is this a vulnerability that needs addressing or is it a hidden feature of Outlook/Exchange that we need to be aware of and change  to prevent further compromises?

Solved.

Looks like these were BCC after all, our mail archive lists the addresses as hidden, even though it has the BCC field available.