{
	"id": "9977f2fa-80e5-4559-a18a-0300f77f8740",
	"created_at": "2026-04-06T00:13:29.193291Z",
	"updated_at": "2026-04-10T13:13:10.52978Z",
	"deleted_at": null,
	"sha1_hash": "05603f7ddd03b36c796639e6b6e284b45f032c73",
	"title": "CIRCL » TR-64 - Exploited Exchange Servers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56525,
	"plain_text": "CIRCL » TR-64 - Exploited Exchange Servers\r\nArchived: 2026-04-05 16:22:06 UTC\r\nWhat have we observed?\r\nSeveral organizations received complaints about the fact that their email accounts are sending spam, phishing and\r\ninfected emails to their partner organizations. The emails are usually replies to ongoing email threads, where an\r\nattacker pastes a greeting sentence and URLs above the original mail content.\r\nAttackers/adversaries do that to improve the social acceptance rate of their malspam. Indeed this strategy seems to\r\nbe very successful.\r\nHere a sample in English: (URLs are disarmed)\r\nSubject: Re: Demande de Remboursement\r\nGreetings! I send here a recordwith a thorough description of the recent problem. Please examine it here:\r\n1)hXXps://ooforms[.]com/omnisquod/voluptatummodi-3313010\r\n2)hXXps://karafarinenovin[.]com/estsit/estsed-3313010\r\nGudde Moien,\r\nHere a sample in French: (URLs are disarmed)\r\nObjet : Re: Nouveau dossier// REFTP 27791\r\nBonne journée! Dans cette lettre, j'envoie le Doc mentionné avec votre signature. Vous pouvez trouver via le lie\r\n1)hXXps://catechismo.ravaldino[.]it/quiatemporibus/ideligendi-1590551\r\n2)hXXps://tradingview.dharwadinternationalschool[.]com/delectusquia/officiisexpedita-1590551\r\nMonsieur,\r\nIf you receive emails like this, take care. These are links to QBot/QakBot/DanaBot/SquirrelWaffle malware,\r\nwhich is a “Information Stealing” / “Cobalt Strike Loader” malware. An infection will most likely end up in a\r\nransomware case.\r\nIf you receive complaints about emails like this being sent from your infrastructure, be prepared to alert your IT\r\nteam or IT supplier and feel free to contact CIRCL for assistance.\r\nRoot Cause\r\nhttps://www.circl.lu/pub/tr-64/\r\nPage 1 of 4\n\nRecently we had to deal with several critical security vulnerabilities in Microsoft Exchange.\r\nIn March 2021, CIRCL warned about critical vulnerabilities which were initially exploited by an activity group\r\n(called HAFNIUM by Microsoft) starting in late 2020.\r\nTR-61 - Critical vulnerabilities in Microsoft Exchange\r\nIn late October CIRCL got notified about MS Exchange servers vulnerable for the recent critical Exchange RCE\r\nvulnerabilities CVE-2021-26427.\r\nMicrosoft Exchange Server Remote Code Execution Vulnerability CVE-2021-26427\r\nCIRCL immediately worked through the list of vulnerable IP addresses and notified the respective ISPs (service\r\nprovider) with the request to warn their customers.\r\nSince then, most of the vulnerable MS Exchange servers are patched (updated). But unfortunately sometimes\r\npatching alone is not sufficient.\r\nIf the server is already compromised before successful patching, the patch will likely close the vulnerability. But\r\nthe server remains compromised. Patching alone is not sufficient\r\nThis situation is what we are looking at right now: the infrastructure is compromised, attackers read the emails and\r\ninject their malicious content into the mail threads by replying to the mail interaction.\r\nFixing and mitigation\r\nThere is only one single procedure to ensure that you completely fix and mitigate the situation, close all potential\r\nbackdoors and kick-out the attackers: re-install every compromised server from scratch and then recover and copy\r\nthe data over.\r\nIn all the cases, we recommend to initiate a full incident response process including the security review of the\r\nsystem.\r\nOne of the most important questions which must get answered: Did the attackers manage to laterally move within\r\nthe internal network. If this happens your are at high risk of a crypto ransomware or data exfiltration. This means,\r\nyou will find back all your data encrypted - or stolen.\r\nIf you have no resources for incident response and reinstall the Exchange server from scratch, Microsoft has\r\npublished guidance for responders.\r\nGuidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities\r\nDo I need to patch internal and non-exposed exchange server?\r\nYes.\r\nHave you seen exploited server in Luxembourg?\r\nhttps://www.circl.lu/pub/tr-64/\r\nPage 2 of 4\n\nYes.\r\nNew wave of malspam\r\nUnfortunately the initial ‘Root Cause’ leads to the next stage of attacks. It seems the compromised Exchange\r\nservers not only were abused for spreading malspam by replying to existing email threads. CIRCL recently\r\nreceived evidences that the servers also got abused for data breach.\r\nIt seems the attackers exfiltrated a decent amount of emails from the compromised severs. These exfiltrated emails\r\nare now traded in the Internet and used to send new waves of malspam by replying to existing email\r\nconversations.\r\nHere a sample in German: (URLs are disarmed)\r\n\u003e\r\n\u003e Objet: H\r\n\u003e\r\n\u003e Schönen Tag!\r\n\u003e Ich traf Komplikationen mit der Übertragung an Ihre Papiere. Deshalb sende ich es noch einmal:\r\n\u003e\r\n\u003e hXXps://sade-cgth[.]az/guufiaq/tdtsl-ttarseaiaobsiumtcuto-aemlaoernoi\r\n\u003e\r\nIn case your organization was victim of the ‘Root Cause’ you should expect new waves of malspam sent in your\r\nname. Please warn all your contacts to be vigilant and not to click a link.\r\nSince this kind of data leak also contains PII - personally identifiable information - we strongly advise to report to\r\nthe local data protection agency CNPD, as soon as you learn about your organization being affected:\r\nCommission nationale pour la protection des données\r\nReferences\r\nTR-61 - Critical vulnerabilities in Microsoft Exchange\r\nMicrosoft Exchange Server Remote Code Execution Vulnerability\r\nCVE-2021-26427\r\nPatching alone is not sufficient\r\nGuidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities\r\nCommission nationale pour la protection des données\r\nClassification of this document\r\nTLP:WHITE information may be distributed without restriction, subject to copyright controls.\r\nRevision\r\nhttps://www.circl.lu/pub/tr-64/\r\nPage 3 of 4\n\nVersion 1.0 - TLP:WHITE - First version - 10 November 2021\r\nVersion 1.1 - TLP:WHITE - New wave of malspam - 16 February 2022\r\nSource: https://www.circl.lu/pub/tr-64/\r\nhttps://www.circl.lu/pub/tr-64/\r\nPage 4 of 4\n\n   https://www.circl.lu/pub/tr-64/ \nVersion 1.0 -TLP:WHITE -First version -10 November 2021\nVersion 1.1 -TLP:WHITE -New wave of malspam -16 February 2022\nSource: https://www.circl.lu/pub/tr-64/    \n   Page 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.circl.lu/pub/tr-64/"
	],
	"report_names": [
		"tr-64"
	],
	"threat_actors": [
		{
			"id": "7c969685-459b-4c93-a788-74108eab6f47",
			"created_at": "2023-01-06T13:46:39.189751Z",
			"updated_at": "2026-04-10T02:00:03.241102Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"Red Dev 13",
				"Silk Typhoon",
				"MURKY PANDA",
				"ATK233",
				"G0125",
				"Operation Exchange Marauder"
			],
			"source_name": "MISPGALAXY:HAFNIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2704d770-43b4-4bc4-8a5a-05df87416848",
			"created_at": "2022-10-25T15:50:23.306305Z",
			"updated_at": "2026-04-10T02:00:05.296581Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"HAFNIUM",
				"Operation Exchange Marauder",
				"Silk Typhoon"
			],
			"source_name": "MITRE:HAFNIUM",
			"tools": [
				"Tarrask",
				"ASPXSpy",
				"Impacket",
				"PsExec",
				"China Chopper"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "529c1ae9-4579-4245-86a6-20f4563a695d",
			"created_at": "2022-10-25T16:07:23.702006Z",
			"updated_at": "2026-04-10T02:00:04.71708Z",
			"deleted_at": null,
			"main_name": "Hafnium",
			"aliases": [
				"G0125",
				"Murky Panda",
				"Red Dev 13",
				"Silk Typhoon"
			],
			"source_name": "ETDA:Hafnium",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434409,
	"ts_updated_at": 1775826790,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/05603f7ddd03b36c796639e6b6e284b45f032c73.pdf",
		"text": "https://archive.orkl.eu/05603f7ddd03b36c796639e6b6e284b45f032c73.txt",
		"img": "https://archive.orkl.eu/05603f7ddd03b36c796639e6b6e284b45f032c73.jpg"
	}
}