Compromised Microsoft Exchange servers lend legitimacy to malicious Reply All chain

Novel attack strategy lends a whole new level of legitimacy to the scam, opine researchers

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

An investigation into the recent SquirrelWafflemalwarecampaign bycybersecurityexperts has revealed the use ofcompromised Microsoft Exchangeservers that were attacked using a chain of bothProxyLogonandProxyShellexploits.

The tactic was discovered by researchers atTrendMicrowho found that the attackers lent legitimacy to their malicious messages by breaking into on-premiseMicrosoftExchange servers using its two popular vulnerabilities.

The threat actors then used these compromised Exchange servers to reply to the company’s internal emails in the classicreply-all email chain attack, stuffing malicious links in legitimate email chains to install malware.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.

Click here to start the survey in a new window«

“In the same intrusion, we analyzed the email headers for the received malicious emails, the mail path was internal (between the three internal exchange servers’ mailboxes), indicating that the emails did not originate from an external sender, open mail relay, or any message transfer agent (MTA),”notesTrendMicro.

Server hijack

In addition to appearing to be a continuation of an ongoing discussion, the malicious email now originated from within an organization’s email servers, lending a far greater legitimacy to the spammy email.

Furthermore, the researchers said that delivering malicious content using the compromised internalemail serversalso helps eradicate the issue of having to deal with network-level protections since they won’t block internal communication.

“More notably, true account names from the victim’s domain were used as sender and recipient, which raises the chance that a recipient will click the link and open the maliciousMicrosoft Excelspreadsheets,” observe the researchers.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

These fake reply-all emails drop maliciousMicrosoft Wordor Excel files that will then trick the recipient into enabling the execution of macros that will pull and install the SquirrelWaffle malware.

Protect your computers with thesebest antivirus software, and cleanse them with thesebest malware removal software

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics

This new phishing strategy utilizes GitHub comments to distribute malware

Smeg Combi Steam Oven review: a multi-functional countertop oven that looks stunning and cooks well