Microsoft Exchange Servers Compromised in Reply-Chain Attacks

Threat actors are leverage known vulnerabilities against unpatched exchange servers to distribute malware and avoid detection by abusing internal reply-chain emails.

TrendMicro researchers have discovered that threat actors have distributed malicious emails to internal employees on corporate networks through an interesting tactic. They start by exploiting Microsoft exchange servers which remain vulnerable to ProxyLogon and ProxyShell. Once the threat actors compromise these servers, they reply to a company’s internal emails and attempt to blend into the legitimate email chain.

Their emails contain documents and links that contain malicious macros. These macros, once activated, have been observed to deploy various malware strains and toolkits. TrendMicro has identified the actors are utilising: Qbot, IcedID, Cobalt Strike and SquirrelWaffle payloads.

As these emails originate from the internal network and appear to be a continuation of previous correspondence, it leads to a greater degree of trust that the email is legitimate and safe. Not only does this increase the likelihood of the campaign’s success, but it is also more likely to bypass security controls as well.

The impact:

If a user is tricked into executing malicious macros, various malware strains – such as Qbot will likely be introduced to the network. The introduction of malware often allows an attacker to perform malicious actions such as logging key-strokes or recording audio and video.

Furthermore, lesser malware strains can be leveraged to deploy more sophisticated samples like ransomware and rootkits.