A team at Trend Micro spotted the campaign, which exploits the ProxyLogon and ProxyShell vulnerabilities patched by Microsoft in March and May respectively.
By doing so, attackers are able to compromise a victim organization’s on-premises Exchange server, and then send phishing emails to other inboxes in the same organization — disguised as legitimate replies to existing email threads.
As real account names from the victim’s domain are used, there’s more chance these emails will be opened by the recipients.
“Delivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail getaways will not be able to filter or quarantine any of these internal emails,” Trend Micro explained.
“The attacker also did not drop or use tools for lateral movement after gaining access to the vulnerable Exchange servers, so that no suspicious network activities will be detected. Additionally, no malware was executed on the Exchange servers that will trigger any alerts before the malicious email is spread across the environment.”
The phishing emails in question use attached Excel and Word files featuring malicious macros. These execute a malicious script and download a DLL loader which connects to a C&C server associated with the Squirrelwaffle loader. The final payload is either Cobalt Strike or the Qbot backdoor, according to the report.
Organizations were urged to patch the ProxyLogon and ProxyShell bugs, and use endpoint detection and response (EDR) solutions to detect any suspicious behavior on their servers.
Trend Micro also trumpeted virtual patching technology, which protects vulnerable systems from known and unknown threats until security teams have a chance to apply official updates.