Hackers Target Over 70 Microsoft Exchange Servers to Steal Credentials with Keyloggers

    Unidentified threat actors are actively targeting publicly exposed Microsoft Exchange servers to inject malicious code into login pages, enabling them to harvest user credentials. A recent analysis by Positive Technologies revealed two types of JavaScript keyloggers on the Outlook login page:

 

  • Local Storage Keyloggers: These save collected data to a file accessible over the internet
  • External Server Keyloggers: These immediately send the harvested data to an external server.
    The attacks have affected 65 victims across 26 countries, continuing a campaign first documented in May 2024, which initially targeted entities in Africa and the Middle East. The first signs of compromise date back to 2021, impacting government agencies, banks, IT companies, and educational institutions.
Hackers Target Over 70 Microsoft Exchange Servers to Steal Credentials with KeyloggersHackers Target Over 70 Microsoft Exchange Servers to Steal Credentials with Keyloggers

Attack Mechanism


The attackers exploit known vulnerabilities in Microsoft Exchange Server, such as ProxyShell and ProxyLogon, to insert keylogger code into the login page. Some of the vulnerabilities exploited include:

  • CVE-2014-4078: IIS Security Feature Bypass
  • CVE-2020-0796: Windows SMBv3 Remote Code Execution
  • CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065: Microsoft Exchange Server Remote Code Execution (ProxyLogon)
  • CVE-2021-31206: Microsoft Exchange Server Remote Code Execution
  • CVE-2021-31207, CVE-2021-34473, CVE-2021-34523: Microsoft Exchange Server Security Feature Bypass (ProxyShell)
Hackers Target Over 70 Microsoft Exchange Servers to Steal Credentials with KeyloggersHackers Target Over 70 Microsoft Exchange Servers to Steal Credentials with Keyloggers

      The malicious JavaScript reads data from the authentication form and sends it to a specific page on the compromised server. Some variants also collect user cookies and timestamps, minimizing detection risks by avoiding outbound traffic.

 

     Another variant uses a Telegram bot for data exfiltration via XHR GET requests, while some employ DNS tunneling with HTTPS POST requests to bypass organizational defenses.

Among the compromised servers, 22 are located in government organizations, with additional infections in IT, industrial, and logistics sectors. Countries like Vietnam, Russia, Taiwan, China, and Turkey are among the top targets.

 

       Researchers warn that many Microsoft Exchange servers remain vulnerable to older exploits, allowing attackers to embed malicious code into legitimate authentication pages and capture user credentials in plaintext without detection.