The combination of Squirrelwaffle, ProxyLogon, and ProxyShell against Microsoft Exchange Servers is being used to conduct financial fraud through email hijacking.
On Tuesday, researchers from Sophos revealed a recent incident in which a Microsoft Exchange Server, which had not been patched to protect it against a set of critical vulnerabilities disclosed last year, was targeted to hijack email threads and spread malspam.
Microsoft issued emergency patches on March 2, 2021, to resolve zero-day vulnerabilities exploitable to hijack servers. The advanced persistent threat (APT) group Hafnium was actively exploiting the bugs at this time and other APTs quickly followed suit.
While the ProxyLogon/ProxyShell vulnerabilities are now well-known, some servers are still unpatched and open to attacks.
The recent case documented by Sophos combined the Microsoft Exchange Server flaws with Squirrelwaffle, a malware loader first documented last year in malicious spam campaigns. The loader is often distributed through malicious Microsoft Office documents or DocuSign content tacked on to phishing emails.
If an intended victim enables macros in the weaponized documents, Squirrelwaffle then is often used to pull and execute CobaltStrike beacons via a VBS script.
Sophos says that in the recent campaign, the loader was deployed once the Microsoft Exchange Server had been