Threat actors are hacking Microsoft Exchange servers using ProxyShell and ProxyLogon exploits to distribute malware and bypass detection using stolen internal reply-chain emails.
As a way to trick corporate targets into opening malicious attachments, the threat actor exploits Microsoft Exchange servers using the ProxyShell and ProxyLogon vulnerabilities.
The actors behind this attack are believed to be 'TR', a known threat actor who distribute emails with malicious attachments that drop malware, including Qbot, IcedID, Cobalt Strike, and SquirrelWaffle payloads.
The threat actors use these compromised Exchange servers to reply to the company's internal emails in reply-chain attacks containing links to malicious documents that install various malware.
As these emails originate from the same internal network and appear to be a continuation of a previous discussion between two employees, it leads to a greater degree of trust that the email is legitimate and safe.
Not only is this effective against the human recipients, but it’s also excellent for not raising any alarms on the email protection systems used in the target firm.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
