Imagine logging into your work email, only to have your password quietly stolen before you even get access. That’s the alarming reality facing organizations worldwide, as cybersecurity researchers discovered attackers have compromised Microsoft Exchange servers and injected hidden code into the Outlook on the Web (OWA) login pages, specifically designed to grab your sensitive credentials. This widespread attack targets government bodies and various companies, posing a significant threat to data security.
Contents
What’s Happening? The OWA Login Page Hijack
Security experts from Positive Technologies have uncovered a sneaky attack affecting Microsoft Exchange servers accessible from the internet. The attackers managed to modify the login page users see when they access their email, calendar, and contacts through a web browser (Outlook on the Web or OWA).
The change isn’t visible to the user. Instead, malicious JavaScript code is secretly running in the background. This code acts as a keylogger, recording everything typed into the username and password fields on the login form.
How the Keyloggers Work
Researchers observed two main ways these keyloggers operate once they capture your login details:
- Saving to a File: Some keyloggers save the stolen usernames, passwords, and sometimes even session cookies directly to a file on the compromised server. This file is left in a location that the attackers can easily access later over the internet.
- Sending Data Remotely: Other versions of the keylogger are more sophisticated. They snatch your credentials and immediately send them off to the attackers, often using services like Telegram bots or Discord servers for quick and easy collection. The stolen data is even tagged to let the attackers know exactly which organization the compromised credentials belong to.
JavaScript code snippet identified as a browser-based keylogger targeting Microsoft Exchange OWA login pages
How Did Attackers Get In? The Mystery of Initial Access
While the method of stealing credentials (the keylogger injection) is clear, how the attackers initially broke into these Microsoft Exchange servers in the first place remains less certain.
Researchers noted that some of the affected servers were vulnerable to older, well-known security flaws. This includes vulnerabilities like the infamous ProxyLogon issues from 2021 (CVE-2021-26855), the three ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), and even the older SMBGhost flaw (CVE-2020-0796). Organizations that hadn’t applied patches for these past issues could have been easy targets.
However, the researchers also found compromised servers that weren’t vulnerable to these specific known exploits. This suggests the attackers might be using other, potentially newer or unknown, methods to gain initial access before deploying their keyloggers. This adds another layer of concern, as relying solely on patching known past vulnerabilities might not be enough to prevent this type of attack.
Who Is Being Targeted? A Global Problem
This isn’t an isolated incident in one corner of the world. Compromised servers have been found across the globe, including in Vietnam, Russia, Taiwan, China, Australia, and numerous other countries spanning Asia, Europe, Africa, and the Middle East.
The attackers aren’t picky about the size of the organization, but they show a clear interest in high-value targets. The majority of the affected servers belonged to government organizations – 22 government entities were identified. The attack also heavily impacted companies in the IT sector, industrial businesses, and logistics firms.
Bar chart illustrating the geographical distribution of organizations affected by the Microsoft Exchange OWA keylogger attack
Taking Action: What Organizations and Users Should Do
For regular users accessing OWA, the keylogger is completely invisible. You wouldn’t see any difference on the login page itself. The responsibility for detection and cleanup falls heavily on the organizations managing these Microsoft Exchange servers.
Security teams and IT administrators need to be proactive. They should:
- Inspect OWA Login Pages: Carefully check all files and code related to their Outlook on the Web login pages for any unauthorized or suspicious JavaScript.
- Look for Web Shells: Examine the Microsoft Exchange server folders for unexpected files, especially ‘web shells’ which attackers often leave behind to maintain access. Researchers have even shared resources like YARA rules to help detect this malicious code.
- Investigate Thoroughly: If a compromise is found, it’s crucial to conduct a deep investigation. Attackers who can inject code into a login page may have found other ways into the network or other systems.
- Reset Passwords: Most importantly, if a login page is found to be compromised, all users who accessed their account through that page must have their passwords reset immediately. Stolen credentials are the primary goal of this attack.
This incident highlights the ongoing need for robust security practices, including keeping servers fully patched against known vulnerabilities and implementing continuous monitoring for signs of compromise. The digital login page, often seen as just a gateway, is increasingly a target for sophisticated attacks aiming to steal the keys to sensitive data.
