{
	"id": "9ac7bc8d-e11f-421c-a7e0-e42784031ed0",
	"created_at": "2026-04-06T00:14:40.065498Z",
	"updated_at": "2026-04-10T13:12:33.553392Z",
	"deleted_at": null,
	"sha1_hash": "247f82670ef8f2af65dcf965ae0383a1a33654f9",
	"title": "Unpatched Exchange servers distribute phishing links (squirrelwaffle) – Certitude Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 415756,
	"plain_text": "Unpatched Exchange servers distribute phishing links\r\n(squirrelwaffle) – Certitude Blog\r\nBy Written by Peter Wagner\r\nPublished: 2021-11-29 · Archived: 2026-04-05 22:19:53 UTC\r\nBeginning of November a customer reached out to us. Internal and external users reported suspicious mails sent\r\nfrom their mail accounts, which included suspicious links. These mails were sent as replies to messages already\r\nsent in the past, which made them appear legitimate.\r\nFirst it was confirmed in the mail headers that the mail originated from the customers Exchange and was not\r\nspoofed from external sources. While further investigating the root cause it turned out that the on-premise MS\r\nExchange server had not received updates for several months. Thus, it was affected by multiple vulnerabilities,\r\ne.g. “ProxyShell” (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and “ProxyLogon” (CVE-2021-\r\n26855).\r\nThe IIS logs showed that special crafted server-side request forgery (SSRF) requests were used to exploit CVE-2021-26855, directed at the Exchange Web Services API endpoint. This allowed the attacker to perform\r\nunauthorized actions on behalf of legitimate users.\r\nThe corresponding IIS log lines looked like this:\r\nhttps://certitude.consulting/blog/en/unpatched-exchange-servers-distribute-phishing-links-squirrelwaffle/\r\nPage 1 of 3\n\n2021-11-01 19:50:59 xxx.xxx.xxx.xxx POST /autodiscover/autodiscover.json a=a@edu.edu/autodiscover/autodiscover.x\r\nOne thing that was also noticeable in the Exchange Logs is that the “ItemClass” of all mails created by the\r\nattacker was set to “IPM.Blabla”.\r\nThis allowed us to filter these mails in Outlook. However, this only worked for mailboxes of users who received\r\nthese suspicious emails. We did not find emails in the “sent” folders of affected users. The pictures below show\r\ntwo mail accounts.\r\nThe format of the censored URLs conformed to the following regex pattern: [a-z]+\\.[a-z0-9]+\\.com\\/[a-z]+\\/[a-z]+-[0-9]+\r\nExample: sdf.wwkwe.com/tatamua/uzaro-3381926\r\nNo malware could be identified on the Exchange server in the course of a quick analysis. Other forensic\r\ninvestigations came to a similar conclusion [1]. However, no full forensic analysis was conducted during this\r\ninvestigation.\r\nhttps://certitude.consulting/blog/en/unpatched-exchange-servers-distribute-phishing-links-squirrelwaffle/\r\nPage 2 of 3\n\nLater it turned out that other organizations [1] were affected by similar attacks, seemingly related to an attack\r\ncampaign titled “squirrelwaffle” [2].\r\nWe recommend everyone to update internet-facing applications in short cycles and apply patches as soon as\r\npossible after their release.  Due to the high attack surface of the Microsoft Exchange product (multiple critical\r\nvulnerabilities have been published this year), it is also recommended to block access to the web interface from\r\nthe internet and use a VPN if access from the internet is required.\r\nRelated URLs:\r\n[1] https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html\r\n[2] https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html\r\nPhoto by Maksim Goncharenok from Pexels.\r\nSource: https://certitude.consulting/blog/en/unpatched-exchange-servers-distribute-phishing-links-squirrelwaffle/\r\nhttps://certitude.consulting/blog/en/unpatched-exchange-servers-distribute-phishing-links-squirrelwaffle/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://certitude.consulting/blog/en/unpatched-exchange-servers-distribute-phishing-links-squirrelwaffle/"
	],
	"report_names": [
		"unpatched-exchange-servers-distribute-phishing-links-squirrelwaffle"
	],
	"threat_actors": [],
	"ts_created_at": 1775434480,
	"ts_updated_at": 1775826753,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/247f82670ef8f2af65dcf965ae0383a1a33654f9.pdf",
		"text": "https://archive.orkl.eu/247f82670ef8f2af65dcf965ae0383a1a33654f9.txt",
		"img": "https://archive.orkl.eu/247f82670ef8f2af65dcf965ae0383a1a33654f9.jpg"
	}
}