{"id":3072,"date":"2021-08-18T12:16:01","date_gmt":"2021-08-18T10:16:01","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=3072"},"modified":"2026-06-08T22:46:21","modified_gmt":"2026-06-08T22:46:21","slug":"new-microsoft-exchange-server-attack","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/new-microsoft-exchange-server-attack\/","title":{"rendered":"New attack against Microsoft Exchange servers"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">In recent weeks, new vulnerabilities affecting <strong>Microsoft Exchange<\/strong> servers have been identified. The chained exploitation of three distinct vulnerabilities enables an attacker to bypass authentication mechanisms and execute arbitrary code (<strong>Remote Code Execution<\/strong>) on the target system with administrative privileges.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Vulnerabilities Involved<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The concatenation of three distinct vulnerabilities has enabled an attack chain designated <strong>ProxyLogon<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a rel=\"noreferrer noopener\" href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-34473\" target=\"_blank\" class=\"ek-link\">CVE-2021-34473<\/a> &#8211; Pre-auth Path Confusion for ACL Bypass<\/li><li><a rel=\"noreferrer noopener\" href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-34523\" target=\"_blank\">CVE-2021-34523<\/a> &#8211; Privilege Escalation on Backend Servers<\/li><li><a rel=\"noreferrer noopener\" href=\"https:\/\/msrc.microsoft.com\/update-guide\/en-US\/vulnerability\/CVE-2021-31207\" target=\"_blank\">CVE-2021-31207<\/a> &#8211; Arbitrary File Write leading to Code Execution (<strong>RCE<\/strong>)<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">By exploiting the listed vulnerabilities, an attacker can upload any <strong>webshell<\/strong> to Microsoft Exchange servers, through which commands can be executed with administrative privileges.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Cyber attacks exploiting this vulnerability chain have already been observed in the wild.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The attack is enabled by the fact that Exchange server components processing HTTP requests do not perform certain validation checks on headers. Specifically, backend server access can be obtained by providing any email address and subsequently bypassing authentication procedures. Once backend access is achieved, abusing the PowerShell command <strong><em>New-MailboxExportRequest<\/em><\/strong> allows an attacker to write arbitrary files to the <strong><em>c:\\inetpub\\wwwroot\\aspnet_client\\<\/em><\/strong> directory. By uploading a webshell, remote code execution with elevated privileges becomes possible. Organizations operating Exchange infrastructure should implement <a href=\"https:\/\/fortgale.com\/en\/managed-detection-and-response\/\">Managed Detection and Response<\/a> capabilities to detect anomalous HTTP patterns and unauthorized file writes indicative of exploitation attempts.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Indicators of Compromise<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Attacks observed across multiple research groups have demonstrated use of the initial URL <strong><em>https:\/\/Exchange-server\/autodiscover\/autodiscover.json?@foo.com\/mapi\/nspi\/?&amp;Email=autodiscover\/autodiscover.json%3F@foo.com<\/em><\/strong>. Following webshell upload, two executables have been observed:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>C:\\Windows\\System32\\createhidetask.exe<\/li><li>C:\\Windows\\System32\\ApplicationUpdate.exe<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">In cases where these executables were not deployed, a randomly-named file with <strong>.aspx<\/strong> extension has been found in the <strong><em>C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\<\/em><\/strong> directory.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">URLs<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>https:\/\/Exchange-server\/autodiscover\/autodiscover.json?@foo.com\/mapi\/nspi\/?&amp;Email=autodiscover\/autodiscover.json%3F@foo.com<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Files<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>C:\\Windows\\System32\\createhidetask.exe<\/li><li>C:\\Windows\\System32\\ApplicationUpdate.exe<\/li><li>Randomly-named file with ASPX extension in C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IP Addresses<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>3.15.221.32<\/li><li>194.147.142.0\/24<\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Fresh wave of attacks against Microsoft Exchange Server: new exploitation patterns, web shell families observed and mitigation guidance for exposed environments.<\/p>\n","protected":false},"author":1,"featured_media":1889,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[1491,1713,3204,1715,1717,3203,3206,1719,1721,1723,3205],"class_list":["post-3072","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-cve-it","tag-exchange-it","tag-exchange-exploitation","tag-exchange-server-it","tag-mail-it","tag-microsoft-exchange","tag-patch-urgency","tag-proxylogon-it","tag-proxyshell-it","tag-server-it","tag-web-shell"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3072","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=3072"}],"version-history":[{"count":2,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3072\/revisions"}],"predecessor-version":[{"id":9869,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3072\/revisions\/9869"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=3072"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=3072"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=3072"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}