Security News > 2021 > November > Microsoft Exchange servers hacked in internal reply-chain attacks
Threat actors are hacking Microsoft Exchange servers using ProxyShell and ProxyLogon exploits to distribute malware and bypass detection using stolen internal reply-chain emails.
TrendMicro researchers have discovered an interesting tactic used of distributing malicious email to a company's internal users using the victim's compromised Microsoft exchange servers.
As a way to trick corporate targets into opening malicious attachments, the threat actor exploits Microsoft Exchange servers using the ProxyShell and ProxyLogon vulnerabilities.
The threat actors then uses these compromised Exchange servers to reply to the company's internal emails in reply-chain attacks containing links to malicious documents that install various malware.
As these emails originate from the same internal network and appear to be a continuation of a previous discussion between two employees, it leads to a greater degree of trust that the email is legitimate and safe.
The ProxyLogon attacks got so bad that the FBI removed web shells from compromised US-based Microsoft Exchange servers without first notifying the servers' owners.
News URL
Related news
- US indicts Black Kingdom ransomware admin for Microsoft Exchange attacks (source)
- Microsoft: Exchange Online bug mistakenly quarantines user emails (source)
- Hidden Threats: How Microsoft 365 Backups Store Risks for Future Attacks (source)
- Hijacked Microsoft web domain injects spam into SharePoint servers (source)
- Microsoft Warns of Tax-Themed Email Attacks Using PDFs and QR Codes to Deliver Malware (source)
- Microsoft fixes auth issues on Windows Server, Windows 11 24H2 (source)
- Microsoft investigates global Exchange Admin Center outage (source)
- Oracle says "obsolete servers" hacked, denies cloud breach (source)
- Microsoft Defender will isolate undiscovered endpoints to block attacks (source)
- Microsoft: Windows Server 2025 restarts break connectivity on some DCs (source)