22. November 2021 –
Emails from your own servers are usually classified as secure. Thanks to the gaps in the Exchange, however, this is no longer a guarantee that it does not contain malware, as a security report now shows.

Many malware attacks are still launched via phishing emails. Attempts are made to counteract this, among other things by promoting awareness of this danger and training employees. Now a report from Trend Micro (via “Bleepingcomputer”) shows that the gaping security gaps in Exchange, which were discovered in spring 2021 (“Swiss IT Magazine” reported), are still being exploited and that the attackers are trying ever more ingeniously to target the user trick. In the attack now discovered by the security specialist, the attackers ‘phishing emails were sent from the victims’ Exchange servers in order to appear as trustworthy as possible. The smuggled messages could even be found as replies in a reply chain email, i.e. within an existing conversation. As usual, this contains Office files with compromising macros that are started when the editing of the file is activated. Malware is then installed on the target device, including Qbot, IcedID, Cobalt Strike, and Squirrelwaffle. The attackers used the proxy shell and proxy logon loopholes for this purpose.

Due to the fact that the mails were sent within the organization, they are less likely to be recognized by automated systems and classified as trustworthy. Companies with Exchange servers are urged to apply the patches available from Microsoft, which have been available since March and April 2021, respectively. Meanwhile, employees should be a little more careful when suspicious attachments appear – even if this happens within existing mail conversations. (win)

.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.