Hackers Target Over 70 Microsoft Exchange Servers to Steal Credentials via Keyloggers

on

 

Hackers Target Over 70 Microsoft Exchange Servers to Steal Credentials via Keyloggers

In June 2025, cybersecurity researchers sounded the alarm about a stealthy and impactful campaign in which unidentified threat actors targeted more than 70 publicly exposed Microsoft Exchange servers around the world. Rather than deploying conventional malware, these attackers took a subtler and potentially more damaging approach: they injected JavaScript-based keyloggers into Outlook Web Access (OWA) login pages on vulnerable Exchange servers to harvest usernames, passwords, and other sensitive data from unsuspecting users as they logged in. cybersrcc.com

The breadth of the attack — spanning at least 26 countries and affecting a wide range of sectors including government, IT, industry, and logistics — underscores both the persistent risk posed by unpatched Exchange servers and the ingenuity of attackers leveraging script-based credential harvesting to bypass traditional detection mechanisms. Thomas Murray Cyber Limited

Why Exchange Servers Are Attractive Targets

Microsoft Exchange Server has for many years been a cornerstone of enterprise email and calendaring infrastructures. When properly secured and updated, it can serve organizations reliably. However, its widespread use and the historical presence of severe vulnerabilities make it a frequent target for malicious actors.

In this campaign, attackers scanned the internet for Exchange servers exposed to public networks that had not been patched against a range of known vulnerabilities — including the notorious ProxyLogon and ProxyShell exploit chains from the 2021 era which enable remote code execution and server takeover without authentication. cybersrcc.com

Despite patches having been available for years, many organizations have failed to mitigate these issues, leaving them open to attack. The result: threat actors can gain administrative access with relative ease — a problem that has now been weaponized to harvest credentials from legitimate users. Thomas Murray Cyber Limited

Technical Mechanics of the Keylogger Campaign

Once attackers gain access to a vulnerable Exchange server, they modify its OWA login pages — especially logon.aspx and associated JavaScript resources — to embed malicious code that captures user credentials the moment they are entered into the form.

JavaScript-Based Keylogging

The core of this campaign centers on JavaScript keylogger scripts that run within the Exchange Outlook login interface. These scripts “listen” to user input and record usernames and passwords as they are typed. Two main variants have been identified:

  1. Local Storage Variant:
    This version writes captured credentials and additional metadata to a local file on the compromised server, which is then accessible to attackers over the internet. Because the data is stored internally rather than sent outward immediately, it produces no unusual network activity that might trigger detection tools. cybersrcc.com

  2. Remote Exfiltration Variant:
    In this case, captured credentials are encoded and transmitted in real time to external infrastructure using advanced stealth techniques, such as:

    • Telegram Bot Exfiltration: Attackers abuse Telegram APIs by embedding stolen data in HTTP headers (like APIKey and AuthToken) in seemingly innocuous requests to a bot endpoint.

    • DNS Tunnelling: Credentials are encapsulated within DNS queries and tunneled out of the network, often hidden within legitimate-looking traffic. cybersrcc.com

Both approaches ensure that usernames and passwords — often in plaintext — are captured without noticeable indicators of compromise to the end user or many monitoring tools. Thomas Murray Cyber Limited

Captured Metadata

Beyond just credentials, the keyloggers in some cases also collect:

  • Browser cookies

  • User-Agent strings (browser/environment identifiers)

  • Timestamps

This additional context helps attackers correlate sessions, track ongoing access, and potentially escalate to other systems once they’ve harvested primary credentials. cybersrcc.com

Scope and Spread: Global and Multi-Sector Impact

The campaign is not isolated or confined to one region. Positive Technologies — the Russian cybersecurity firm that publicly disclosed the activity — identified 65 compromised Exchange servers in 26 countries, with indications that the true figure — based on continued investigations — exceeds 70. Thomas Murray Cyber Limited

Among the impacted organizations are:

  • Government entities (22 compromised servers located in public sector environments)

  • IT service providers and consultants

  • Industrial and manufacturing companies

  • Logistics and supply chain operators

Regions with the highest number of compromised servers include Vietnam, Russia, Taiwan, China, Pakistan, Lebanon, Australia, Zambia, the Netherlands, and Turkey — demonstrating a broad geographical footprint. Barrcuda Blog

A Long-Running, Stealthy Campaign

What makes this campaign especially concerning is its persistence and evolution. Researchers have traced signs of similar activity as far back as 2021, indicating that attackers have maintained access to vulnerable servers for years in some cases. cybersrcc.com

The operation appears to have begun in mid-2024 with initial discoveries in Africa and the Middle East, where attackers used similar techniques to capture credentials from Exchange users. Over time, the campaign expanded both in scope and sophistication, and now touches organizations across continents. cybersrcc.com

This long dwell time — the period between initial compromise and discovery — is a hallmark of successful cyber espionage campaigns. By embedding malicious scripts directly into legitimate interfaces, attackers avoid many common detection mechanisms that focus on executable malware or unusual network traffic. Thomas Murray Cyber Limited

Why This Strategy Is So Insidious

This campaign stands out for several reasons:

Stealth and Low Detection Footprint

The local keylogger variant does not generate outbound connections. Instead, it stores credentials in files that attackers can later retrieve, making it much harder for network defenders to detect anomalies. Even exfiltration via Telegram or DNS appears as seemingly legitimate traffic, blending into routine network flows. cybersrcc.com

Persistent Embedded Compromise

Unlike malware that runs in memory or requires scheduled execution, these injected scripts become part of the trusted login interface. As long as the Exchange server remains compromised, every authentication event becomes a credential leak. cybersrcc.com

High Value Targets and Credentials

Microsoft Exchange accounts are prime targets. Beyond basic email access, they often serve as gateway credentials for broader corporate systems, including Active Directory, cloud services, and internal applications. Harvested passwords can enable lateral movement and wider network compromise. Thomas Murray Cyber Limited

Exploiting Known, Patchable Flaws

Perhaps most frustrating from a security standpoint is that the vulnerabilities exploited — such as ProxyLogon (CVE-2021-26855 and related CVEs) and ProxyShell (various 2021 security bypass and remote code execution bugs) — have mitigations available for years. Organizations that fail to patch remain easy targets. Barrcuda Blog

Attribution and Threat Actor Profile

At the time of reporting, the specific threat actors behind the Exchange keylogger campaign remain unidentified. There is no publicly confirmed attribution to a known cybercriminal group or nation-state actor. Barrcuda Blog

The modus operandi — exploiting legacy vulnerabilities and embedding persistent credential capture mechanisms — suggests a well-organized group with both patience and a strategic interest in long-term access rather than rapid disruption. The use of infrastructure like Telegram bots for exfiltration points to attackers who seek to blend their operations into common internet services. cybersrcc.com

Some later analyses (e.g., updates in August 2025) even link related tooling to broader malware families — but direct attribution for the keylogger campaign itself is not yet definitive as of late 2025. The Hacker News

Impact and Risk Beyond Credentials

The compromise of Exchange credentials can have cascading effects:

Unauthorized Email Access

Attackers with valid credentials can read internal emails, extract sensitive documents, monitor communications, and understand organizational structures. This access can fuel espionage or further social engineering. Thomas Murray Cyber Limited

Lateral Movement and Domain Capture

Once email credentials are in hand, attackers may attempt to leverage them for broader network access — especially if password reuse, lack of multi-factor authentication (MFA), or weak identity protections are in place. Barrcuda Blog

Impersonation and Business Email Compromise (BEC)

Harvested credentials can enable attackers to send phishing or fraud emails from legitimate accounts, tricking internal staff, partners, or customers. Thomas Murray Cyber Limited

Long-Term Persistence

Because malicious code is embedded directly into authentication mechanisms, the compromise can go unnoticed for months or even years, silently capturing each new login event. Thomas Murray Cyber Limited

Mitigation and Defense Recommendations

To counter this threat, organizations should take immediate and sustained action:

1. Patch and Update Immediately

Ensure all Exchange servers are fully patched against known vulnerabilities — especially ProxyLogon and ProxyShell families of CVEs. Barrcuda Blog

2. Audit and Validate Web Content

Regularly audit authentication page source code — particularly logon.aspx and associated JavaScript — for unauthorized modifications or unexpected script injections. Thomas Murray Cyber Limited

3. Isolate Exchange Servers

Expose Exchange servers to the internet only if absolutely necessary and, where possible, put them behind VPNs or authenticated reverse proxies to reduce direct attack surface. Barrcuda Blog

4. Enforce Strong Authentication

Implement multi-factor authentication (MFA) on all critical accounts to mitigate risk from compromised passwords. Thomas Murray Cyber Limited

5. Monitor DNS and Network Traffic

Inspect DNS queries and unusual HTTP requests that could indicate tunneling or exfiltration of encoded credentials. cybersrcc.com

6. Web Application Firewalls and EDR

Deploy web application firewalls capable of blocking script injections and endpoint detection solutions that flag abnormal behavior. Barrcuda Blog

7. Incident Response Preparation

Have an incident response plan that includes credential rotation, log analysis, and forensic validation in case of compromise discovery. Thomas Murray Cyber Limited

Conclusion

The attack on more than 70 Microsoft Exchange servers via JavaScript keylogger injection is a stark reminder of how legacy infrastructure vulnerabilities and lax patching can provide long-term avenues for attackers to harvest credentials with minimal detection. By embedding malicious code into login pages — rather than relying on noisy malware or obvious beaconing traffic — attackers have created a persistent threat that undermines trust in an essential enterprise platform. Thomas Murray Cyber Limited

As cyber threats continue to evolve in sophistication and stealth, defenders must respond with rigorous patch management, proactive auditing, and layered defenses that account for both infrastructure weaknesses and subtle script-based credential theft. Until these measures are widely adopted, campaigns like this one will continue to offer high returns to attackers and high risk to organizations worldwide. Barrcuda Blog

Comments

Post a Comment