{
	"id": "896eb314-df95-4492-bfc9-fde2ed95a87e",
	"created_at": "2026-04-06T00:18:00.125974Z",
	"updated_at": "2026-04-10T13:12:23.222Z",
	"deleted_at": null,
	"sha1_hash": "163c1919bc8330b8c73be16220049e71ec593a18",
	"title": "Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 803395,
	"plain_text": "Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack\r\nEmail Chains\r\nBy By: Sherif Magdy, Abdelrhman Sharshar Nov 19, 2021 Read time: 5 min (1279 words)\r\nPublished: 2021-11-19 · Archived: 2026-04-05 20:28:50 UTC\r\nExploits \u0026 Vulnerabilities\r\nSquirrelwaffle is known for using the tactic of sending malicious spam as replies to existing email chains. We look\r\ninto how by investigating its exploit of Microsoft Exchange Server vulnerabilities, ProxyLogon and ProxyShell.\r\nIn September, Squirrelwaffle emergedopen on a new tab as a new loader that is spread through spam campaigns. It\r\nis known for sending its malicious emails as replies to preexisting email chains, a tactic that lowers a victim’s\r\nguard against malicious activities. To be able to pull this off, we believe it involved the use of a chain of both\r\nProxyLogon and ProxyShell exploits.\r\nThe Trend Micro Incident Response team looked into several intrusions related to Squirrelwaffle, that happened in\r\nthe Middle East. This led to a deeper investigation into the initial access of these attacks. We wanted to see if the\r\nattacks involved the said exploits.\r\nThis comes from the fact that all of the intrusions we observed originated from on-premise Microsoft Exchange\r\nServers that appeared to be vulnerable to ProxyLogon and ProxyShell. In this blog entry, we shed more light into\r\nthese observed initial access techniques and the early phases of Squirrelwaffle campaigns.\r\nMicrosoft Exchange infection\r\nWe observed evidence of the exploits on the vulnerabilities CVE-2021-26855open on a new tab, CVE-2021-\r\n34473open on a new tab, and CVE-2021-34523open on a new tab in the IIS Logs on three of the Exchange\r\nservers that were compromised in different intrusions. The same CVEs were used in ProxyLogon (CVE-2021-\r\n26855) and ProxyShell (CVE-2021-34473 and CVE-2021-34523) intrusions. Microsoft released a patch\r\nfor ProxyLogon in Marchopen on a new tab; those who have applied the May or Julyopen on a new tab updates\r\nare protected from ProxyShell vulnerabilities.\r\nCVE-2021-26855: the pre-authentication proxy vulnerability\r\nThis server-side request forgery (SSRF) vulnerability can allow a threat actor access by sending a specially crafted\r\nweb request to an Exchange Server. The web request contains an XML payload directed at the Exchange Web\r\nServices (EWS) API endpoint.\r\nThe request bypasses authentication using specially crafted cookies and allows an unauthenticated threat actor to\r\nexecute EWS requests encoded in the XML payload then ultimately perform operations on victims’ mailboxes.\r\nhttps://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html\r\nPage 1 of 6\n\nFrom our analysis of the IIS log, we saw that the threat actor uses a publicly availableopen on a new tab exploit in\r\nits attack. This exploit gives a threat actor the ability to get users SID and emails. They can even search for and\r\ndownload a target’s emails. Figures 1 to 3 highlights evidence from IIS logs and show the exploit code.\r\nFigure 1. Exploiting CVE-2021-26855, as seen in the IIS logs\r\nThe logs (Figure 2 to 3) also show that threat actor used the ProxyLogon vulnerability to get this particular user’s\r\nSID and emails to use them to send malicious spam. \r\nFigure 2. The function responsible for getting the SID inside the exploit\r\nFigure 3. The user agent used in the attack\r\nCVE-2021-34473: the pre-auth path confusion\r\nThis ProxyShell vulnerability abuses the URL normalization of the explicit Logon URL, wherein the logon email\r\nis removed from the URL if the suffix is autodiscover/autodiscover.json. This grants arbitrary backend URL the\r\nsame access as the Exchange machine account (NT AUTHORITY\\SYSTEM).\r\nFigure 4. Exploiting CVE-2021-34473\r\nCVE-2021-34523: Exchange PowerShell backend elevation-of-privilege\r\nExchange has a PowerShell remoting feature that can be used to read and send emails. It can’t be used by NT\r\nAUTHORITY\\SYSTEM as it does not have a mailbox. However, in cases where it is accessed directly via the\r\nprevious vulnerability, the backend/PowerShell can be provided with X-Rps-CAT query string parameter. The\r\nhttps://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html\r\nPage 2 of 6\n\nbacken/PowerShell will be deserialized and used to restore user identity. It can therefore be used to impersonate a\r\nlocal administrator to run PowerShell commands.\r\nWith this, the attackers would be able to hijack legitimate email chains and send their malicious spam as replies to\r\nthe said chains. \r\nMalicious spam\r\nIn one of the observed intrusions, all the internal users in the affected network received, where the spam emails\r\nhave been sent as legitimate replies to existing email threads. All of the observed emails were written in English\r\nfor this spam campaign in the Middle East. While other languages were used in different regions, most were\r\nwritten in English. More notably, true account names from the victim’s domain were used as sender and recipient,\r\nwhich raises the chance that a recipient will click the link and open the malicious Microsoft Excel spreadsheets.\r\nFigure 5. The malicious spam received by targets\r\nIn the same intrusion, we analyzed the email headers for the received malicious emails, the mail path was internal\r\n(between the three internal exchange servers’ mailboxes), indicating that the emails did not originate from an\r\nexternal sender, open mail relay, or any message transfer agent (MTA).\r\nFigure 6. Malicious spam via the MTA route\r\nDelivering the malicious spam using this technique to reach all the internal domain users will decrease the\r\npossibility of detecting or stopping the attack, as the mail getaways will not be able to filter or quarantine any of\r\nthese internal emails. The attacker also did not drop or use tools for lateral movement after gaining access to the\r\nvulnerable Exchange servers, so that no suspicious network activities will be detected. Additionally, no malware\r\nwas executed on the Exchange servers that will trigger any alerts before the malicious email is spread across the\r\nenvironment.\r\nThe malicious Microsoft Excel file\r\nThe attacker exploited the Exchange servers to deliver internal mails. This was all done to catch users off-guard,\r\nmaking them more likely to click the link and open the dropped Microsoft Excel or Word file.\r\nhttps://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html\r\nPage 3 of 6\n\nBoth links used in the malicious emails (aayomsolutions[.]co[.]in/etiste/quasnam[]-4966787 and\r\naparnashealthfoundation[.]aayom.com/quasisuscipit/totamet[-]4966787 ) drop a ZIP file in the machine. The ZIP\r\nfile contains, in this case, a malicious Microsoft Excel sheet that downloads and executes a malicious DLL related\r\nto Qbot.\r\nFigure 7. Malicious Microsoft Excel document\r\nThese sheets contain malicious Excel 4.0 macros that is responsible for downloading and executing the malicious\r\nDLL.\r\nFigure 8. Excel 4.0 Macros\r\nThe spreadsheets download the DLL from hardcoded URLs which are hxxps:\r\n[//]iperdesk.com/JWqj8R2nt/be.html, hxxps:[//]arancal.com/HgLCgCS3m/be.html and hxxps:\r\n[//]grandthum.co.in/9Z6DH5h5g/be.html.\r\nThe DLL is dropped in C:\\Datop\\. Finally, the document executes the DLL using the following commands:\r\nhttps://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html\r\nPage 4 of 6\n\nC:\\Windows\\System32\\regsvr32.exe\" C:\\Datop\\good.good\r\nC:\\Windows\\System32\\regsvr32.exe\" C:\\Datop\\good1.good\r\nC:\\Windows\\System32\\regsvr32.exe\" C:\\Datop\\good2.good\r\nFigure 9. Excel file infection chain\r\nOnce the DLL executes, it starts to inject the Microsoft process\r\n(c:\\windows\\system32\\mobsync.exe). Finally, communicating with the command-and-control (C\u0026C) server\r\n(hxxp:[//]24.229.150.54:995[/]t4).\r\nFigure 10. DLL infection flow\r\nhttps://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html\r\nPage 5 of 6\n\nSecurity recommendations\r\nAs mentioned earlier, by exploiting ProxyLogon and ProxyShell attackers were able to bypass the usual checks\r\nthat would have stopped the spread of malicious email. This highlights how users plays an important part in the\r\nsuccess or failure of an attack. Squirrelwaffle campaigns should make users wary of the different tactics used to\r\nmask malicious emails and files. Emails that come from trusted contacts may not be enough of an indicator that\r\nwhatever link or file included in the email is safe.\r\nIt is important to ensure that patches for Microsoft Exchange Server vulnerabilities, specifically ProxyShell and\r\nProxyLogon (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) have already been applied. Microsoft\r\nreiterated, those who have applied their patch for ProxyLogon in March are not protected\r\nfrom ProxyShell vulnerabilities, and should install more recent (May or July) security updates.\r\nHere are other security best practices to consider:\r\nEnable virtual patching modules on all Exchange servers to provide critical level protection for servers that\r\nhave not yet been patched for these vulnerabilities.\r\nUse endpoint detection and response (EDR) solutionsproducts in critical servers, as it provides visibility to\r\nmachine internals and detect any suspicious behavior running on servers.\r\nUse endpoint protection design for servers.\r\nApply sandbox technology on email, network, and web is very imported to detect similar URLs and\r\nsamples.\r\nUsers can also opt to protect systems through managed detection and response (MDR)products, which utilizes\r\nadvanced artificial intelligence to correlate and prioritize threats, determining if they are part of a larger attack. It\r\ncan detect threats before they are executed, preventing further compromise.\r\nThe indicators of comromise (IOCs) can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html\r\nhttps://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html"
	],
	"report_names": [
		"Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434680,
	"ts_updated_at": 1775826743,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/163c1919bc8330b8c73be16220049e71ec593a18.pdf",
		"text": "https://archive.orkl.eu/163c1919bc8330b8c73be16220049e71ec593a18.txt",
		"img": "https://archive.orkl.eu/163c1919bc8330b8c73be16220049e71ec593a18.jpg"
	}
}