A malware campaign aimed at Microsoft Exchange servers exploits ProxyShell and ProxyLogon issues and uses stolen internal reply-chain emails to avoid detection.

The campaign was uncovered by TrendMicro researchers that detailed the technique used to trick victims opening the malicious email used as the attack vector.

The attacks were orchestrated by Squirrelwaffle, a threat actor known for sending malicious spam as replies to existing email chains.

The investigation into three incidents revealed that attackers used exploits for CVE-2021-26855 (ProxyLogon), CVE-2021-34473, and CVE-2021-34523 (ProxyShell).

Once compromised the Exchange servers, threat actors use the access to reply to the company’s internal emails in reply-chain attacks containing links to weaponized documents. Sending the messages from the organizations allow the attackers to bypass detection.

“In the same intrusion, we analyzed the email headers for the received malicious emails, the mail path was internal (between the three internal exchange servers’ mailboxes), indicating that the emails did not originate from an external sender, open mail relay, or any message transfer agent (MTA).” reads the analysis published by Trend Micro. “Delivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail getaways will not be able to filter or quarantine any of these internal emails.”