Security News > 2021 > November > Microsoft Exchange servers hacked in internal reply-chain attacks

Threat actors are hacking Microsoft Exchange servers using ProxyShell and ProxyLogon exploits to distribute malware and bypass detection using stolen internal reply-chain emails.

TrendMicro researchers have discovered an interesting tactic used of distributing malicious email to a company's internal users using the victim's compromised Microsoft exchange servers.

As a way to trick corporate targets into opening malicious attachments, the threat actor exploits Microsoft Exchange servers using the ProxyShell and ProxyLogon vulnerabilities.

The threat actors then uses these compromised Exchange servers to reply to the company's internal emails in reply-chain attacks containing links to malicious documents that install various malware.

As these emails originate from the same internal network and appear to be a continuation of a previous discussion between two employees, it leads to a greater degree of trust that the email is legitimate and safe.

The ProxyLogon attacks got so bad that the FBI removed web shells from compromised US-based Microsoft Exchange servers without first notifying the servers' owners.

News URL

https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-in-internal-reply-chain-attacks/