Attackers Hijack Email Threads Using ProxyLogon/ProxyShell Flaws

Exploiting Microsoft Exchange ProxyLogon & ProxyShell vulnerabilities, attackers are malspamming replies in existing threads and slipping past malicious-email filters.

Attackers are gnawing on the ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange Server to hijack email chains, by malspamming replies to ongoing email threads, researchers say.

What’s still under discussion: whether the offensive is delivering Squirrel Waffle, the new email loader that showed up in September, or whether Squirrel Waffle is just one piece of malware among several that the campaigns are dropping.

Cisco Talos researchers first got wind of the Squirrel Waffle malspam campaigns beginning in mid-September, when they saw boobytrapped Microsoft Office documents delivering Qakbot malware and the penetration-testing tool Cobalt Strike – two of the most common threats regularly observed targeting organizations around the world. The Office documents infected systems with Squirrel Waffle in the initial stage of the infection chain.

SquirrelWaffle campaigns are known for using stolen email threads to increase the chances that a victim will click on malicious links. Those rigged links are tucked into an email reply, similar to how the virulent Emotet malware – typically spread via malicious emails or text messages – has been known to work.

Slipping Under People’s Noses

In a report posted on Friday, Trend Micro researchers ​​Mohamed Fahmy, Sherif Magdy and Abdelrhman Sharshar said that hijacking email replies for malspam is a good way to slip past both people’s spam suspicions and to avoid getting flagged or quarantined by email gateways.

“Delivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail [gateways] will not be able to filter or quarantine any of these internal emails,” they wrote.

The attacker also didn’t drop, or use, tools for lateral movement after gaining access to the vulnerable Exchange servers, Trend Micro said. Thus, they left no tracks, as “no suspicious network activities will be detected. Additionally, no malware was executed on the Exchange servers that will trigger any alerts before the malicious email is spread across the environment.”

Middle East Campaign

Trend Micro’s Incident Response team had decided to look into what researchers believe are SquirrelWaffle-related intrusions in the Middle East, to figure out whether the attacks involved the notorious Exchange server vulnerabilities.

They shared a screen capture, shown below, that’s representative of the malicious email replies that showed up in all of the user inboxes of one affected network, all sent as legitimate replies to existing threads, all written in English.

They found that other languages were used in different regions outside of the Middle East attack they examined. Still, in the intrusions they analyzed that were outside of the Middle East, most of the malicious emails were written in English, according to the report.

Leave a Reply

Your email address will not be published. Required fields are marked*