New cybercriminal group is infiltrating Microsoft Exchange servers by abusing previously disclosed ProxyShell and ProxyLogon exploits to distribute malware. Additionally, they are attempting to avoid detection using stolen internal reply-chain emails.

What has happened?

Researchers from TrendMicro have observed cybercriminals targeting email conversations of users.
  • The attackers behind this campaign are believed to be 'TR', a threat actor known for spreading emails laden with malicious attachments that drops IcedID, Qbot, Cobalt Strike, and SquirrelWaffle.
  • Upon infection, the attackers use these compromised Exchange servers for simple social engineering tricks, convincing the recipients into opening malicious attachments sent with the emails.
  • Attackers would reply to a company's internal emails in reply-chain attacks and add links to malicious documents. The emails originate from the internal network and seem to be a continuation of a previous discussion that happened between two employees. 

The tricky part

  • Hackers curate malicious emails on the organization’s network, and thus, bypass the email gateways and further increase the element of trust of the reader that the emails are legitimate.
  • The attachments in these emails are laden with standard malicious Microsoft Excel templates that urge the recipients to Enable Content option to view a protected file.

A slight confusion

  • In one of the attacks, the researchers have seen the distribution of SquirrelWaffle loader, which then installs Qbot. 
  • However, another researcher claims that the malicious document used by this attacker dropped both malware as separate payloads, instead of SquirrelWaffle spreading Qbot.


Cybercriminals are once again exploiting ProxyLogon and ProxyShell vulnerabilities in their attacks. Although Microsoft has already fixed ProxyLogon in March and ProxyShell in April and May, there are still possibilities of unpatched servers being exposed to the internet. Thus, organizations should apply the latest patches for the vulnerabilities as soon as possible.

Cyware Publisher