Microsoft Exchange Server vulnerabilities targeted to conduct financial fraud
By MYBRANDBOOK
On Tuesday, Sophos researchers revealed a recent incident in which a Microsoft Exchange Server, which had not been patched to protect it against a set of critical vulnerabilities disclosed last year, was targeted to hijack email threads and spread malspam. The incident documented by Sophos also used the combination of Squirrelwaffle, ProxyLogon, and ProxyShell against Microsoft Exchange Servers to conduct financial fraud through email hijacking.
Squirrelwaffle is a malware loader first documented last year in malicious spam campaigns. The loader is often distributed through malicious Microsoft Office documents or DocuSign content tacked on to phishing emails. If an intended victim enables macros in the weaponized documents, Squirrelwaffle then is often used to pull and execute CobaltStrike beacons via a VBS script.
The advanced persistent threat (APT) group Hafnium was actively exploiting the bugs at this time, and other APTs quickly followed suit. While the ProxyLogon/ProxyShell vulnerabilities are now well-known, some servers are still unpatched and open to attacks.
Sophos says that in the recent campaign, the loader was deployed once the Microsoft Exchange Server had been compromised. The server, belonging to an unnamed organization, was used to "mass distribute" Squirrelwaffle to internal and external email addresses by hijacking existing email threads between employees.
The spam campaign was used to spread Squirrelwaffle, but in addition, attackers extracted an email thread and used the internal knowledge within to conduct financial fraud.
Customer data was taken, while a victim organization was also selected. The attackers registered a domain with a name very close to the victim -- a technique known as typo-squatting -- and then created email accounts through this domain to reply to the email thread outside of the server.
"To add further legitimacy to the conversation, the attackers copied additional email addresses to give the impression that they were requesting support from an internal department," Sophos explained. "In fact, the additional addresses were also created by the attacker under the typo-squatted domain."
Over six days, the attackers tried to direct a legitimate financial transaction to a bank account they owned. The payment was on its way to being processed, and it was only due to a bank involved in the transaction realizing the transfer was likely fraudulent that the victim did not fall prey to the attack.
BREAKING NEWS
TECHNO TRENDS
Legal Battle Over IT Act Intensifies Amid Musk’s India Plans
The outcome of the legal dispute between X Corp and the Indian government c...
Wipro inks 10-year deal with Phoenix Group's ReAssure UK worth
The agreement, executed through Wipro and its 100% subsidiary,...
Centre announces that DPDP Rules nearing Finalisation by April
The government seeks to refine the rules for robust data protection, ensuri...
Home Ministry cracks down on PoS agents in digital arrest scam
Digital arrest scams are a growing cybercrime where victims are coerced or ...
E-Magazine
TECHNOTAINMENT
Hrithik Roshan to endorse RuPay as Brand Ambassador
RuPay is reportedly planning to feature Bollywood superstar Hrithik Rosha
India Today Group launches – AI Pop Stars
Staying true to our industry leadership position in using cutting-edge tech
MOVERS & SHAKERS
TelioLabs ropes in Phaniraj V A as the Group CEO
TelioLabs has announced the onboarding of Phaniraj V A as its new Group CE
Wipro Appoints Amit Kumar as Managing Partner and Global Head
Wipro Limited (NYSE: WIT, BSE: 507685, NSE: WIPRO), a leading technology s
OPEN YOUR EYES
INTERVIEWS
Autodesk continually pushing the boundaries in the Design and
Autodesk’s vision is of a better world designed and made for all. It inte
Cisco building a trusted and resilient future for the nation
Security is foundational to everything Cisco does and customers insist on e
HOT PICK
MSI Announces the availability of RTX 50 series of laptops in
MSI, the innovative computing manufacturer in gaming, creator
Nothing Phone (3a) goes on sale today, starting at Rs 19,999
The phone was launched on March 4, featuring a 50MP main, ultra-wide, and t
MAKE IN INDIA BRANDS
QUICK HEAL TECHNOLOGIES PVT. LTD.
DELL TECHNOLOGIES INDIA PVT. LTD.
LAVA INTERNATIONAL LTD.
VERSA NETWORKS INDIA PVT. LTD.
EMINENT CIO'S OF INDIA
ICONS OF INDIA
ICONS OF INDIA : ROSHNI NADAR MALHOTRA
Roshni Nadar Malhotra is the Chairperson of HCLTech, a leading global ...
ICONS OF INDIA : SANDIP PATEL
Sandip Patel is the Managing Director for IBM India & South Asia regio...
SHAKTIKANTA DAS
Shaktikanta Das is serving as the current & 25th governor of the Reser...
PARTNER SPEAKERS
PSU
NSE - National Stock Exchange Â
NSE is the leading stock exchange in India....
CSC - Common Service CentresÂ
CSC initiative in India is a strategic cornerstone of the Digital Indi...
BSE - Bombay Stock Exchange Â
The Bombay Stock Exchange (BSE) is one of India’s largest and oldest...
VIDEOS
Top 25 Brands
Global Indian industry
Indian Tech Talent Excelling The Tech World - ANJALI SUD, CEO – Tubi
Anjali Sud, the former CEO of Vimeo, now leads Tubi, Fox Corporationâ€...
Indian Tech Talent Excelling The Tech World - Lal Karsanbhai, President & CEO, Emerson
Lal Karsanbhai, President and CEO of Emerson, assumed the leadership i...
Indian Tech Talent Excelling The Tech World - PADMASREE WARRIOR, Founder, President & CEO - Fable
Padmasree Warrior, the Founder, President, and CEO of Fable, is revolu...
ITFORUM 2025
CMO of the Year
WOMEN LEADERSHIP
IMAGE GALLERY
TRENDS IN TECHNOLOGY
MORE VIDEOS
ADVERTISEMENTS
TECHNOLOGY DISRUPTION
UNICORNS REVOLUTIONISING
of images belongs to the respective copyright holders
