A new wave of attacks has recently been detected targeting Microsoft Exchange servers that are publicly exposed on the internet. The attackers, whose identity remains unknown, are injecting malicious code directly into Outlook login pages to steal access credentials.
Specifically, two types of JavaScript-based keyloggers have been identified as being embedded in those pages:
One that saves the captured information in a file accessible via the internet.
Another that sends the stolen data directly to a server controlled by the attackers.
So far, at least 65 organizations across 26 countries have been confirmed victims of this attack, which appears to be a continuation of a campaign initially detected in May 2024, mainly targeting entities in Africa and the Middle East.
At that time, around 30 victims were identified, including government agencies, banks, tech companies, and educational institutions. What’s most concerning is the evidence suggesting that the first unauthorized accesses may have occurred as early as 2021.
The attack method isn’t new but remains highly effective. The attackers exploit known vulnerabilities in Microsoft Exchange Server (such as those included in the ProxyShell and ProxyLogon vulnerability sets) to insert malicious code directly into the login page.
The exploited vulnerabilities include:
CVE-2014-4078 – An IIS flaw that allows security feature bypass.
CVE-2020-0796 – A critical SMBv3 vulnerability enabling remote code execution.
CVE-2021-26855, 26857, 26858, 27065 – Remote execution vulnerabilities related to ProxyLogon.
CVE-2021-31206, 31207, 34473, 34523 – ProxyShell-related flaws that also allow remote code execution or security bypass.
Once the malicious code is in place, it reads and processes the data users enter into the login form and then sends it via a web request (XHR) to a specific page hosted on the compromised server itself.
Although the perpetrators behind these attacks have not yet been identified, it is clear that they are well-organized, have a global reach, and are exploiting servers that haven’t been properly updated or secured. It’s yet another reminder of the importance of keeping systems up to date, shutting down unnecessary exposed services, and regularly auditing the security of critical applications like Microsoft Exchange.
The source code includes a function that receives the request and saves the data to a file on the server.
Read more: Complete Guide to System Hardening
The file where the stolen data is stored is accessible from the internet, which means that anyone who knows where to look can access it with little difficulty. But that’s not all—some variants of this malware, which logs keystrokes (local keyloggers), also collect additional information such as session cookies, the browser you’re using (user-agent), and even the exact time you logged in.
One reason this method is so effective is that it doesn’t generate outbound traffic; all the stolen information is stored locally on the infected server. This makes it much harder to detect, as there are no obvious signs of data being exfiltrated.
However, there’s a second variant that does communicate externally. In this case, the attackers are using a Telegram bot to exfiltrate the stolen data. How? Through GET requests that send the username and password encoded in headers named APIKey and AuthToken. Essentially, it’s as if they’re using Telegram as their own private channel to receive stolen credentials.
Read more: Top 10 Telegram Groups and Channels on the Dark Web
Another more advanced method has also been identified, which uses a tunnel through the Domain Name System (DNS tunneling) combined with an HTTPS POST request to exfiltrate (i.e., send) credentials—making it much harder for security systems to detect.
Of all the compromised servers, at least 22 belong to government agencies. But the attacks don’t stop there. They have also impacted tech, industrial, and logistics companies. Among the most affected countries are Vietnam, Russia, Taiwan, China, Pakistan, Lebanon, Australia, Zambia, the Netherlands, and Turkey.
Researchers warn that many Microsoft Exchange servers accessible from the internet still remain unpatched, leaving them vulnerable to these threats. The attackers’ trick lies in inserting malicious code into fully legitimate login pages, which allows them to capture usernames and passwords in plain text (unencrypted) and remain undetected for weeks or even months.