Exchange Server Flaws Once Again Under Heavy Targeting

What has happened?

• The attackers behind this campaign are believed to be 'TR', a threat actor known for spreading emails laden with malicious attachments that drops IcedID, Qbot, Cobalt Strike, and SquirrelWaffle.
• Upon infection, the attackers use these compromised Exchange servers for simple social engineering tricks, convincing the recipients into opening malicious attachments sent with the emails.
• Attackers would reply to a company's internal emails in reply-chain attacks and add links to malicious documents. The emails originate from the internal network and seem to be a continuation of a previous discussion that happened between two employees. 

The tricky part

• Hackers curate malicious emails on the organization’s network, and thus, bypass the email gateways and further increase the element of trust of the reader that the emails are legitimate.
• The attachments in these emails are laden with standard malicious Microsoft Excel templates that urge the recipients to Enable Content option to view a protected file.

A slight confusion

• In one of the attacks, the researchers have seen the distribution of SquirrelWaffle loader, which then installs Qbot. 
• However, another researcher claims that the malicious document used by this attacker dropped both malware as separate payloads, instead of SquirrelWaffle spreading Qbot.

Conclusion