Threat operators have been identified hacking servers belonging to Microsoft Exchange, using and ProxyLogon and ProxyShell exploits to deploy malware and circumnavigate detection with the help of internal reply-chain-type emails.

Attack vector identified

When threat operators carry out malicious campaigns using email, fooling their victims is key. However, tricking users into believing a sender can be trusted is often considered the most difficult element of any attack. If they can create trust or avoid suspicion, threat actors can con recipients into activating malicious links or harmful downloads.

Researchers at TrendMicro recently discovered an intriguing tactic used to distribute malicious emails to a firm’s internal users by employing the victim’s exploited Microsoft exchange servers.

The hackers behind this assault are believed to be part of ‘TR’, a well-known malicious actor that frequently distributes email messages laced with malicious attachments. These dangerous add-ons deploy a wide range of malicious software, including SquirrelWaffle, IcedID, Qbot, and the much-abused security software, Cobalt Strike.

To fool corporate victims into opening these malicious attachments, the hacker is exploiting Microsoft Exchange servers via the ProxyLogon and ProxyShell vulnerabilities.

The threat operator then uses these compromised Microsoft Exchange servers, replying to internal company emails in dedicated reply-chain attacks that include links to infected documents able to install malware.

TrendMicro’s recent report, commented:

“In the same intrusion, we analysed the email headers for the received malicious emails, the mail path was internal (between the three internal exchange servers’ mailboxes), indicating that the emails did not originate from an external sender, open mail relay, or any message transfer agent (MTA).”

Bypassing security systems and avoiding alarm

As these malicious emails originate from within same internal network and seem to simply be a continuation of legitimate discussion previously conducted between two staff members, it increases trust that the message is both authentic and secure to view.

However, this tactic is not just effective against its human targets, but also an ideal approach for not raising an alert on standard email protection systems installed by firms. The malicious attachments are designed to enhance a sense of trust and look and behave just like an authentic Microsoft Excel document. They instruct their recipients that to view the protected file, they must “Enable Content”.

As soon as the user clicks on the option, additional content is also enabled in the form of malicious macros. Once executed, they launch the download and installation of malware, such as SquirrelWaffle, Cobalt Strike and Qbot, among others.

To date, threat operators have abused both the ProxyLogon and ProxyShell vulnerabilities to deploy dedicated ransomware or to install webshells that will later afford them backdoor access to networks and devices. While both these weaknesses have security fixes now in circulation, enterprises that have not yet patched their systems make easy victims for hackers.

Attacks involving ProxyLogon became so extreme at one point that the Federal Bureau of Investigation (FBI) in the US removed web shells from Microsoft Exchange servers that were compromised without even notifying their owners.

Installing security patches as soon as they become available is always the most prudent policy for enterprises of all sizes.

Help take the first steps needed to prevent malicious emails from damaging your enterprise by starting a free 14-day free trial of our secure workspaces service.