Hackers use ProxyShell and ProxyLogon vulnerabilities to gain access to servers and send answers to internal emails.
Cybercriminals use false answers to internal emails to get into Microsoft Exchange servers using ProxyShell and ProxyLogon vulnerabilities to propagate malware and avoid detection.

In harmful email campaigns, the goal is to persuade the receiver to accept a malicious attachment because they trust the sender.Trend Micro security experts identified an intriguing way of distributing infected emails to workers of the affected firm using hijacked Microsoft Exchange servers. It is used by a notorious hacker gang that sends out malicious emails with attachments infecting systems with malware such as Qbot, IcedID, Cobalt Strike, and SquirrelWaffle.

To get employees to click a malicious attachment, hackers use the ProxyShell and ProxyLogon vulnerabilities to enter into Microsoft Exchange servers, then send answers from those servers to internal business emails. The malware attachment is included in these reply emails.

The messages do not raise suspicion among the receivers since they are transmitted from the same internal network and constitute a continuation of an existing ongoing dialogue between two workers. They do not arouse suspicion in the minds of those who receive them. Furthermore, automatic email protection systems are unconcerned about these emails.

To see the malicious attachment, the receiver must “activate content” on a Microsoft Excel sheet. However, once the content is active, dangerous macros are run on the machine, which download and install malware (Qbot, Cobalt Strike, Squirrel Waffle, and so on).

This malicious campaign, according to Trend Micro, spreads the Squirrel Waffle downloader, which installs the Qbot malware on the machine. However, a Cryptolaemus researcher going by the handle The Analyst asserts that it is not Squirrel Waffle who downloads Qbot. but the malicious document downloads both programs separately.

Microsoft patched ProxyLogon vulnerabilities in March 2021, and ProxyShell in April and May. Cybercriminals exploited them to deploy ransomware or install web shells for subsequent access to servers. In the case of ProxyLogon, things were so bad that the FBI even had to remove web shells from compromised Microsoft Exchange servers in the United States without prior notice to users.