Compromised Microsoft Exchange servers lend legitimacy to malicious Reply All chain

email marketing
(Image credit: Sendinblue)

An investigation into the recent SquirrelWaffle malware (opens in new tab) campaign by cybersecurity (opens in new tab) experts has revealed the use of compromised Microsoft Exchange (opens in new tab) servers that were attacked using a chain of both ProxyLogon (opens in new tab) and ProxyShell (opens in new tab) exploits.

The tactic was discovered by researchers at TrendMicro (opens in new tab) who found that the attackers lent legitimacy to their malicious messages by breaking into on-premise Microsoft Exchange servers using its two popular vulnerabilities.

The threat actors then used these compromised Exchange servers to reply to the company's internal emails in the classic reply-all email chain attack (opens in new tab), stuffing malicious links in legitimate email chains to install malware.

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window (opens in new tab) <<

“In the same intrusion, we analyzed the email headers for the received malicious emails, the mail path was internal (between the three internal exchange servers’ mailboxes), indicating that the emails did not originate from an external sender, open mail relay, or any message transfer agent (MTA),” notes (opens in new tab) TrendMicro.

Server hijack

In addition to appearing to be a continuation of an ongoing discussion, the malicious email now originated from within an organization’s email servers, lending a far greater legitimacy to the spammy email.

Furthermore, the researchers said that delivering malicious content using the compromised internal email servers (opens in new tab) also helps eradicate the issue of having to deal with network-level protections since they won’t block internal communication.

“More notably, true account names from the victim’s domain were used as sender and recipient, which raises the chance that a recipient will click the link and open the malicious Microsoft Excel (opens in new tab) spreadsheets,” observe the researchers.

These fake reply-all emails drop malicious Microsoft Word (opens in new tab) or Excel files that will then trick the recipient into enabling the execution of macros that will pull and install the SquirrelWaffle malware.

Protect your computers with these best antivirus software (opens in new tab), and cleanse them with these best malware removal software (opens in new tab)

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.