Unidentified threat actors are actively exploiting publicly exposed Microsoft Exchange servers to inject malicious JavaScript code into login pages. This sophisticated attack aims to harvest user credentials, posing a significant risk to organizations relying on these critical communication platforms. The discovered method allows attackers to remain largely undetected while capturing sensitive information in plaintext.
The ongoing campaign, first documented in May 2024, has now impacted 65 victims across 26 countries, according to analysis by Positive Technologies. These attacks represent a continuation of a campaign that initially targeted entities in Africa and the Middle East, with evidence suggesting that initial compromises may date back as far as 2021. Organizations from various sectors, including government agencies, financial institutions, and IT companies, have been affected.
Microsoft Exchange Server Vulnerabilities Exploited for Credential Harvesting
The attackers are leveraging known vulnerabilities within Microsoft Exchange Server, including well-documented flaws like ProxyLogon and ProxyShell, to gain initial access. Once inside, they meticulously embed malicious JavaScript keylogger code directly into the legitimate Outlook login pages. This deceptive tactic ensures that when users enter their credentials, the information is captured before being sent to the attackers.
Positive Technologies has identified two primary variants of this keylogger code. The first variant is designed to store the harvested data locally in a file that is subsequently made accessible over the internet. This method offers a stealthy approach as it minimizes outbound network traffic, making detection more challenging for security systems. This variant can also collect additional information such as user cookies, User-Agent strings, and timestamps.
In contrast, the second variant immediately transmits the stolen credentials to an external server. Security researchers Klimentiy Galkin and Maxim Suslov detailed how this process involves malicious JavaScript code reading and processing data from the authentication form. The collected information is then transmitted via an XHR request to a specific page on the compromised Exchange Server. The handler function on the target page is responsible for reading the incoming request and writing the data to a file on the server.
Further analysis revealed that some instances of the second variant utilize a Telegram bot as an exfiltration point. Credentials are sent via XHR GET requests, with the encoded login and password stored in the APIKey and AuthToken headers, respectively. In some cases, attackers are also employing a Domain Name System (DNS) tunnel in conjunction with an HTTPS POST request to further obscure the data transmission and bypass existing network security measures.
The geographical distribution of the affected servers highlights a global reach, with Vietnam, Russia, Taiwan, China, Pakistan, Lebanon, Australia, Zambia, the Netherlands, and Turkey appearing among the top targeted countries. Government organizations have been particularly hard-hit, accounting for 22 of the compromised servers, followed by infections in the IT, industrial, and logistics sectors.
Attribution and Continued Threat
In a significant update on August 15, 2025, Positive Technologies attributed these persistent attacks to an eponymous hacking group suspected to be behind the PhantomCore malware. This attribution is based on an analysis of the attacker’s infrastructure, including a domain named “voen-pravo[.]online” which hosted a password-protected archive. This archive contained a deceptive payment calculator application that, upon execution, would contact an external server to retrieve a next-stage payload, identified as PhantomDL, a malware closely linked to PhantomCore.
The researchers confirmed that 10 victims, previously identified as hosting the Exchange keylogger, have now been linked to this group. All these victim entities are Russian companies engaged in IT consulting or IT solution development. The collected account data from these compromised systems exceeds 5,000, underscoring the scale of the ongoing operation.
The continued exploitation of older, unpatched vulnerabilities in internet-facing Microsoft Exchange servers remains a critical concern. Attackers’ ability to embed malicious code within legitimate authentication pages allows them to operate with a high degree of stealth, posing a persistent threat to organizations that have not prioritized regular security updates and system hardening measures. The ongoing nature of these attacks suggests that vigilance and proactive security measures are paramount for protecting sensitive data.