Security News > 2021 > November > Microsoft Exchange servers hacked in internal reply-chain attacks
Threat actors are hacking Microsoft Exchange servers using ProxyShell and ProxyLogon exploits to distribute malware and bypass detection using stolen internal reply-chain emails.
TrendMicro researchers have discovered an interesting tactic used of distributing malicious email to a company's internal users using the victim's compromised Microsoft exchange servers.
As a way to trick corporate targets into opening malicious attachments, the threat actor exploits Microsoft Exchange servers using the ProxyShell and ProxyLogon vulnerabilities.
The threat actors then uses these compromised Exchange servers to reply to the company's internal emails in reply-chain attacks containing links to malicious documents that install various malware.
As these emails originate from the same internal network and appear to be a continuation of a previous discussion between two employees, it leads to a greater degree of trust that the email is legitimate and safe.
The ProxyLogon attacks got so bad that the FBI removed web shells from compromised US-based Microsoft Exchange servers without first notifying the servers' owners.
News URL
Related news
- Microsoft: Outdated Exchange servers fail to auto-mitigate security bugs (source)
- Over 3 million mail servers without encryption exposed to sniffing attacks (source)
- Microsoft 365 apps crash on Windows Server after Office update (source)
- Hackers use FastHTTP in new high-speed Microsoft 365 password attacks (source)
- Microsoft fixes under-attack privilege-escalation holes in Hyper-V (source)
- Over 660,000 Rsync servers exposed to code execution attacks (source)
- Microsoft fixes Office 365 apps crashing on Windows Server systems (source)
- Microsoft fixes Windows Server 2022 bug breaking device boot (source)
- Microsoft: Exchange 2016 and 2019 reach end of support in October (source)
- Ransomware gangs pose as IT support in Microsoft Teams phishing attacks (source)