How can we help?
Details of another Microsoft Exchange exploit (CVE-2021-33766) have been published. The vulnerability was patched in April and since then exploitation attempts have been observed in the wild.
By exploiting this vulnerability, an attacker can perform configuration actions on mailboxes belonging to arbitrary users.
A remote, unauthenticated actor could set up a mail forwarding rule to forward emails to an attacker-controlled inbox.
The following hunting query can be used to detect exploitation attempts.
| where not(ipv4_is_private(cIP))
| where csMethod =~ “POST”
| where csUriStem has “/ecp”
| where isnotempty(csCookie) and csCookie has “SecurityToken”
| where csUriQuery has “msExchEcpCanary”
| extend timestamp=TimeGenerated, HostCustomEntity=Computer, IPCustomEntity=cIP
The following products may be vulnerable if not recently patched.
– Exchange Server 2013 up to CU23
– Exchange Server 2016 up to CU20
– Exchange Server 2019 up to CU9
Microsoft recommend using their Exchange Server Health Checker script to get an inventory of server patch levels.
Containment, Mitigations & Remediations
Microsoft patched this vulnerability in April although it didn’t assign a CVE at the time so it wasn’t tracked as a security patch.