Solved: Re: Cisco Unity Connection Messaging

Tom Pearce · ‎02-24-2025

I have a number of customers that have been hacked that all have Unity Connection Messaging. Calls appear to be being forwarded out of their PBX from the Unity Connection Messaging. Can anyone tell me how this is possible and what settings they should be looking at?

Thank you!

Brad Magnani · ‎02-24-2025

Directory Handlers won't allow you to dial external extensions. Directory handlers match on internal users. You'll want to run the SQL queries I gave you to check to see which users and system call handlers may have abnormal transfer numbers configured that you may need to mitigate.

View solution in original post

Brad Magnani · ‎02-24-2025

This is most usually due to restriction tables not being setup to block unwanted numbers. Check your restriction tables first to ensure all of the international/unwanted patterns aren't allowed. The most common place where toll fraud is performed is the Transfer to Alternate Contact Number caller input setting on users and system call handlers. You can check to see if you have any currently configured on the system for users or call handlers using these:

Users with Transfer to Alternate Contact Number configured:

run cuc dbquery unitydirdb select gu.alias, gu.dtmfaccessid, me.touchtonekey, acn.transfernumber from vw_alternatecontactnumber as acn inner join vw_menuentry as me on acn.menuentryobjectid=me.objectid and me.action='7' inner join vw_callhandler as ch on me.callhandlerobjectid=ch.objectid inner join vw_globaluser as gu on ch.recipient_globaluserobjectid=gu.objectid and ch.isprimary='1'

Call Handlers with Transfer to Alternate Contact Number configured:

run cuc dbquery unitydirdb select ch.displayname, ch.dtmfaccessid, me.touchtonekey,acn.transfernumber from vw_callhandler as ch inner join vw_menuentry as me on ch.objectid=me.callhandlerobjectid and ch.isprimary='0' and me.action='7' inner join vw_alternatecontactnumber as acn on acn.menuentryobjectid=me.objectid

If you find that you have users that have unwanted transfer's configured, you'll probably want to bulk change everyone's PIN since it's possible someone has access to the mailbox(es) and could be changing the Transfer to ACNs via the TUI.

Brad

Tom Pearce · ‎02-24-2025

When I place test calls to these customers, I can hit *, be prompted for user id, hit #, be prompted for the PIN, hit # and then hear Hello, Cisco Unity Connection Messaging. Is that normal behavior?

Brad Magnani · ‎02-24-2025

If you're not entering the correct PIN, it'll eventually dump you out to Opening Greeting, yes.

Tom Pearce · ‎02-24-2025

at this point it allows me to access the directory and dial extensions though.

Brad Magnani · ‎02-24-2025

Directory Handlers won't allow you to dial external extensions. Directory handlers match on internal users. You'll want to run the SQL queries I gave you to check to see which users and system call handlers may have abnormal transfer numbers configured that you may need to mitigate.

Roger Kallberg · ‎02-24-2025

Also look at the CSS assigned to the trunk or ports for the integration depending on the type of integration you are using. This does not need to include partitions that gives access to external call routing. If that’s present in the CSS I would suggest that you remove it from the selected partitions.

Maren Mahoney · ‎02-24-2025

Also look for a Call Routing Rule with "Caller System Transfer" or (less likely) "User System Transfer" as a Conversation Target. It may have been set up by mistake, but it allows callers to the number associated with that call routing rule to dial an external number at will. But, to @Brad Magnani's point, the numbers must be allowed by the Outdial Transfer Rule.

Maren