Positive Technologies has reported ongoing cyberattacks targeting Microsoft Exchange servers, where attackers inject keylogger code to harvest user credentials. The company identified two main types of malicious scripts operating on Outlook's login page, affecting 65 victims across 26 countries. This campaign is a continuation of previous attacks documented in May 2024, and is known to exploit several vulnerabilities in Microsoft Exchange, including ProxyLogon and ProxyShell. Notably, the origins of these attacks remain unidentified, underlining the persistent threat actors pose to cybersecurity.
Malicious JavaScript code reads and processes the data from the authentication form, then sends it via an XHR request to a specific page on the compromised Exchange Server.
The target page's source code contains a handler function that processes authenticated credentials but remains undiscovered until recent analysis by Positive Technologies.
Collection
[
|
...
]