A recent cyber campaign has compromised over 70 Microsoft Exchange servers across 26 countries by injecting JavaScript-based keyloggers into Outlook Web Access (OWA) login pages. Review the details of this Cybersecurity Threat Advisory to safeguard against these vulnerabilities.
What is the threat?
This campaign, active since at least 2021, targets Microsoft Exchange servers with OWA enabled. Hackers inject malicious JavaScript-based keyloggers into the OWA login pages to capture usernames and passwords as users log in. The stolen credentials are either stored locally on the server or exfiltrated using DNS tunnels or Telegram bots. The campaign primarily targets government agencies, IT firms, and industrial sectors by exploiting unpatched Exchange vulnerabilities. Its stealthy nature and low detection rate make immediate patching, script auditing, and traffic monitoring critical for defense.
Why is this noteworthy?
The malicious JavaScript code is designed to read and process data from authentication forms, subsequently sending this information through an XHR request to a designated page on a compromised Exchange Server. The source code of the target page includes a handler function that captures the incoming request and writes the data to a file on the server.
The attack chain begins by exploiting known vulnerabilities in Microsoft Exchange Server, such as ProxyShell, to inject keylogger code into the login page. The identity of the threat actors responsible remains unknown at this time. Some of the vulnerabilities weaponized are listed below:
- CVE-2014-4078 – IIS Security Feature Bypass Vulnerability
- CVE-2020-0796 – Windows SMBv3 Client/Server Remote Code Execution Vulnerability.
- CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 – Microsoft Exchange Server Remote Code Execution Vulnerability (ProxyLogon).
- CVE-2021-31206 – Microsoft Exchange Server Remote Code Execution Vulnerability.
- CVE-2021-31207, CVE-2021-34473, and CVE-2021-34523 – Microsoft Exchange Server Security Feature Bypass Vulnerability (ProxyShell).
What is exposure or risk?
This file, which contains the stolen data, can be accessed from an external network. Variants equipped with local keylogging capabilities have also been discovered, which collect user cookies, User-Agent strings, and timestamps. One significant advantage of this method is the minimal risk of detection. It involves no outbound traffic in transmitting the information.
So far, at least 22 compromised servers have been identified within government agencies. Other affected sectors include IT, logistics, and industry. The top targeted countries are Vietnam, Russia, Taiwan, China, Pakistan, Lebanon, Australia, Zambia, the Netherlands, and Turkey.
What are the recommendations?
Barracuda recommends the following actions to keep your environment secure against this threat:
- Apply the latest security patches to all Microsoft Exchange servers. Regularly check for updates and apply them promptly to mitigate known vulnerabilities.
- Limit access to Exchange servers to only those who absolutely need it. Use role-based access controls (RBAC) to enforce the principle of least privilege.
- Adopt an extended threat detection and response, such as Barracuda Managed XDR Endpoint Security, to monitor endpoints for suspicious activities, including detect and block malicious script, the installation of unauthorized software such as keyloggers, and to detect unusual login attempts or access patterns that could indicate a compromised account or server.
- Enforce multi-factor authentication (MFA) for all users accessing the Exchange server to add an additional layer of security beyond just passwords.
How can Barracuda protect you against this threat?
Barracuda recently introduced its Managed Vulnerability Security service, a fully managed solution that proactively detects and prioritizes vulnerabilities across servers, endpoints, network devices, and cloud infrastructure. In light of threats such as the OWA JavaScript keylogger campaign, this service helps identify unpatched Exchange servers and misconfigurations before attackers can exploit them. When combined with Barracuda Managed XDR’s real-time threat detection and incident response capabilities, it enables a defense-in-depth strategy, closing security gaps while also identifying suspicious login events or lateral movement. This unified approach—vulnerability scanning paired with XDR’s detection engine—helps organizations stay ahead of advanced threats, reduce vendor complexity, and strengthen their overall security posture.
References
For more in-depth information, please visit the following links:
- https://thehackernews.com/2025/06/hackers-target-65-microsoft-exchange.html
- https://securityaffairs.com/163521/breaking-news/microsoft-exchange-server-flaws-attacks.html
- https://www.barracuda.com/company/news/2025/barracuda-launches-managed-vulnerability-security
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.