{"id":6648,"date":"2021-11-12T16:35:26","date_gmt":"2021-11-12T14:35:26","guid":{"rendered":"https:\/\/www.retarus.com\/blog\/en\/new-wave-of-sneaky-attacks-on-hijacked-exchange-servers"},"modified":"2024-05-07T11:24:43","modified_gmt":"2024-05-07T09:24:43","slug":"new-wave-of-sneaky-attacks-on-hijacked-exchange-servers","status":"publish","type":"post","link":"https:\/\/www.retarus.com\/blog\/en\/new-wave-of-sneaky-attacks-on-hijacked-exchange-servers\/","title":{"rendered":"New wave of sneaky attacks on hijacked Exchange servers"},"content":{"rendered":"\n<p>Compromised exchange servers are being hijacked and exploited in a particularly sneaky wave of email-based cyberattacks. In an approach similar to the Emotet attacks, the recipient receives purported responses to genuine email conversations which contain links leading to malware. The difference here is that these attack emails are actually sent using the legitimate mail server of the supposed sender.<\/p>\n\n\n\n<p>This makes it a lot more difficult to filter out these messages technically or for the user to identify them as inauthentic. According to <a href=\"https:\/\/www.bsi.bund.de\/SharedDocs\/Cybersicherheitswarnungen\/DE\/2021\/2021-269486-1032.pdf?__blob=publicationFile&amp;v=3\">an alert issued by Germany\u2019s Federal Office for Information Security (BSI)<\/a>, the links relay users through to various forms of malware, including DanaBot, SquirrelWaffle and the especially menacing Quakbot. \u201cBleeping Computer\u201d <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/qbot-returns-for-a-new-wave-of-infections-using-squirrelwaffle\/\">also reported<\/a> on this.<\/p>\n\n\n\n<p>At present it has neither been discovered is unclear how the attackers gain access to the email traffic or exactly which vulnerability in Microsoft Exchange is being exploited in this new wave of attacks. The BSI presumes that the servers in question had already been taken over some time ago without companies noticing. In the meanwhile, criminals continue to trade the corresponding credentials to the highest bidder on darknet marketplaces. With this highly sophisticated method of duping recipients, this latest rendition of bogus emails threatens to be even more \u201csuccessful\u201d than <a href=\"https:\/\/www.retarus.com\/blog\/en\/emotet-returns-to-cause-even-greater-harm\/\">Emotet once was<\/a> (even if the volume of such emails sent thus far remains much lower for the time being).<\/p>\n\n\n\n<p>Should a company suspect that their Exchange server has been compromised, the BSI advises them to reset their Exchange servers and reinstall the necessary data. To combat attacks, outages, and incidents, Retarus offers their <a href=\"https:\/\/www.retarus.com\/email-continuity\/\">Email Continuity<\/a> service, which is consciously not based on Microsoft products. The service makes ready-to-use, pre-provisioned webmail accounts available to users in emergency situations. The routing of messages can then instantly be redirected to this \u201cactive\u201d backup, ensuring that staff can keep communicating without disruption.<\/p>\n\n\n\n<p>Email Continuity is closely tightly integrated with <a href=\"https:\/\/www.retarus.com\/services\/email-security\/\">Retarus Email Security<\/a>, which naturally also provides full protection for these emergency email accounts. Other <a href=\"https:\/\/www.retarus.com\/secure-email-platform\/\">Retarus Secure Email Platform<\/a> services, including Email Archive and Email Encryption, are also available for this failover service on request.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Compromised exchange servers are being hijacked and exploited in a particularly sneaky wave of email-based cyberattacks. The recipient receives purported responses to genuine email conversations which contain links leading to malware \u2013 sent using the legitimate mail server of the supposed sender.<\/p>\n","protected":false},"author":14,"featured_media":10077,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","_s2mail":"yes","footnotes":""},"categories":[8,15],"tags":[2927,3672],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v23.0 (Yoast SEO v23.0) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>New wave of sneaky attacks on hijacked Exchange servers - Retarus Corporate Blog - EN<\/title>\n<meta name=\"description\" content=\"Kompromittierte Exchange-Server werden aktuell f\u00fcr eine besonders heimt\u00fcckische Angriffswelle via E-Mail missbraucht. Die Empf\u00e4nger erhalten vorgebliche Antworten auf echte E-Mail-Unterhaltungen, die Links auf Schadsoftware enthalten \u2013 verschickt \u00fcber die legitimen Mail-Server der Absender.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.retarus.com\/blog\/en\/perfide-neue-angriffswelle-ueber-gekaperte-exchange-server\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"New wave of sneaky attacks on hijacked Exchange servers\" \/>\n<meta property=\"og:description\" content=\"Kompromittierte Exchange-Server werden aktuell f\u00fcr eine besonders heimt\u00fcckische Angriffswelle via E-Mail missbraucht. Die Empf\u00e4nger erhalten vorgebliche Antworten auf echte E-Mail-Unterhaltungen, die Links auf Schadsoftware enthalten \u2013 verschickt \u00fcber die legitimen Mail-Server der Absender.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.retarus.com\/blog\/en\/perfide-neue-angriffswelle-ueber-gekaperte-exchange-server\/\" \/>\n<meta property=\"og:site_name\" content=\"Retarus Corporate Blog - EN\" \/>\n<meta property=\"article:published_time\" content=\"2021-11-12T14:35:26+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-05-07T09:24:43+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.retarus.com\/blog\/en\/wp-content\/uploads\/sites\/22\/2024\/05\/shutterstock_1378498490.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1080\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Thomas Cloer\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Thomas Cloer\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.retarus.com\/blog\/en\/perfide-neue-angriffswelle-ueber-gekaperte-exchange-server\/\",\"url\":\"https:\/\/www.retarus.com\/blog\/en\/perfide-neue-angriffswelle-ueber-gekaperte-exchange-server\/\",\"name\":\"New wave of sneaky attacks on hijacked Exchange servers - Retarus Corporate Blog - EN\",\"isPartOf\":{\"@id\":\"https:\/\/www.retarus.com\/blog\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.retarus.com\/blog\/en\/perfide-neue-angriffswelle-ueber-gekaperte-exchange-server\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.retarus.com\/blog\/en\/perfide-neue-angriffswelle-ueber-gekaperte-exchange-server\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.retarus.com\/blog\/en\/wp-content\/uploads\/sites\/22\/2024\/05\/shutterstock_1378498490.jpg\",\"datePublished\":\"2021-11-12T14:35:26+00:00\",\"dateModified\":\"2024-05-07T09:24:43+00:00\",\"author\":{\"@id\":\"https:\/\/www.retarus.com\/blog\/en\/#\/schema\/person\/7f8954d8bf84d75cf384942c5f6cf2e5\"},\"description\":\"Kompromittierte Exchange-Server werden aktuell f\u00fcr eine besonders heimt\u00fcckische Angriffswelle via E-Mail missbraucht. Die Empf\u00e4nger erhalten vorgebliche Antworten auf echte E-Mail-Unterhaltungen, die Links auf Schadsoftware enthalten \u2013 verschickt \u00fcber die legitimen Mail-Server der Absender.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.retarus.com\/blog\/en\/perfide-neue-angriffswelle-ueber-gekaperte-exchange-server\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.retarus.com\/blog\/en\/perfide-neue-angriffswelle-ueber-gekaperte-exchange-server\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.retarus.com\/blog\/en\/perfide-neue-angriffswelle-ueber-gekaperte-exchange-server\/#primaryimage\",\"url\":\"https:\/\/www.retarus.com\/blog\/en\/wp-content\/uploads\/sites\/22\/2024\/05\/shutterstock_1378498490.jpg\",\"contentUrl\":\"https:\/\/www.retarus.com\/blog\/en\/wp-content\/uploads\/sites\/22\/2024\/05\/shutterstock_1378498490.jpg\",\"width\":1920,\"height\":1080,\"caption\":\"Malware\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.retarus.com\/blog\/en\/perfide-neue-angriffswelle-ueber-gekaperte-exchange-server\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.retarus.com\/blog\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"New wave of sneaky attacks on hijacked Exchange servers\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.retarus.com\/blog\/en\/#website\",\"url\":\"https:\/\/www.retarus.com\/blog\/en\/\",\"name\":\"Retarus Corporate Blog - EN\",\"description\":\"Always up to date\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.retarus.com\/blog\/en\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.retarus.com\/blog\/en\/#\/schema\/person\/7f8954d8bf84d75cf384942c5f6cf2e5\",\"name\":\"Thomas Cloer\",\"url\":\"https:\/\/www.retarus.com\/blog\/en\/author\/thomasc\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"New wave of sneaky attacks on hijacked Exchange servers - Retarus Corporate Blog - EN","description":"Kompromittierte Exchange-Server werden aktuell f\u00fcr eine besonders heimt\u00fcckische Angriffswelle via E-Mail missbraucht. Die Empf\u00e4nger erhalten vorgebliche Antworten auf echte E-Mail-Unterhaltungen, die Links auf Schadsoftware enthalten \u2013 verschickt \u00fcber die legitimen Mail-Server der Absender.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.retarus.com\/blog\/en\/perfide-neue-angriffswelle-ueber-gekaperte-exchange-server\/","og_locale":"en_US","og_type":"article","og_title":"New wave of sneaky attacks on hijacked Exchange servers","og_description":"Kompromittierte Exchange-Server werden aktuell f\u00fcr eine besonders heimt\u00fcckische Angriffswelle via E-Mail missbraucht. Die Empf\u00e4nger erhalten vorgebliche Antworten auf echte E-Mail-Unterhaltungen, die Links auf Schadsoftware enthalten \u2013 verschickt \u00fcber die legitimen Mail-Server der Absender.","og_url":"https:\/\/www.retarus.com\/blog\/en\/perfide-neue-angriffswelle-ueber-gekaperte-exchange-server\/","og_site_name":"Retarus Corporate Blog - EN","article_published_time":"2021-11-12T14:35:26+00:00","article_modified_time":"2024-05-07T09:24:43+00:00","og_image":[{"width":1920,"height":1080,"url":"https:\/\/www.retarus.com\/blog\/en\/wp-content\/uploads\/sites\/22\/2024\/05\/shutterstock_1378498490.jpg","type":"image\/jpeg"}],"author":"Thomas Cloer","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Thomas Cloer","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.retarus.com\/blog\/en\/perfide-neue-angriffswelle-ueber-gekaperte-exchange-server\/","url":"https:\/\/www.retarus.com\/blog\/en\/perfide-neue-angriffswelle-ueber-gekaperte-exchange-server\/","name":"New wave of sneaky attacks on hijacked Exchange servers - Retarus Corporate Blog - EN","isPartOf":{"@id":"https:\/\/www.retarus.com\/blog\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.retarus.com\/blog\/en\/perfide-neue-angriffswelle-ueber-gekaperte-exchange-server\/#primaryimage"},"image":{"@id":"https:\/\/www.retarus.com\/blog\/en\/perfide-neue-angriffswelle-ueber-gekaperte-exchange-server\/#primaryimage"},"thumbnailUrl":"https:\/\/www.retarus.com\/blog\/en\/wp-content\/uploads\/sites\/22\/2024\/05\/shutterstock_1378498490.jpg","datePublished":"2021-11-12T14:35:26+00:00","dateModified":"2024-05-07T09:24:43+00:00","author":{"@id":"https:\/\/www.retarus.com\/blog\/en\/#\/schema\/person\/7f8954d8bf84d75cf384942c5f6cf2e5"},"description":"Kompromittierte Exchange-Server werden aktuell f\u00fcr eine besonders heimt\u00fcckische Angriffswelle via E-Mail missbraucht. Die Empf\u00e4nger erhalten vorgebliche Antworten auf echte E-Mail-Unterhaltungen, die Links auf Schadsoftware enthalten \u2013 verschickt \u00fcber die legitimen Mail-Server der Absender.","breadcrumb":{"@id":"https:\/\/www.retarus.com\/blog\/en\/perfide-neue-angriffswelle-ueber-gekaperte-exchange-server\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.retarus.com\/blog\/en\/perfide-neue-angriffswelle-ueber-gekaperte-exchange-server\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.retarus.com\/blog\/en\/perfide-neue-angriffswelle-ueber-gekaperte-exchange-server\/#primaryimage","url":"https:\/\/www.retarus.com\/blog\/en\/wp-content\/uploads\/sites\/22\/2024\/05\/shutterstock_1378498490.jpg","contentUrl":"https:\/\/www.retarus.com\/blog\/en\/wp-content\/uploads\/sites\/22\/2024\/05\/shutterstock_1378498490.jpg","width":1920,"height":1080,"caption":"Malware"},{"@type":"BreadcrumbList","@id":"https:\/\/www.retarus.com\/blog\/en\/perfide-neue-angriffswelle-ueber-gekaperte-exchange-server\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.retarus.com\/blog\/en\/"},{"@type":"ListItem","position":2,"name":"New wave of sneaky attacks on hijacked Exchange servers"}]},{"@type":"WebSite","@id":"https:\/\/www.retarus.com\/blog\/en\/#website","url":"https:\/\/www.retarus.com\/blog\/en\/","name":"Retarus Corporate Blog - EN","description":"Always up to date","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.retarus.com\/blog\/en\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.retarus.com\/blog\/en\/#\/schema\/person\/7f8954d8bf84d75cf384942c5f6cf2e5","name":"Thomas Cloer","url":"https:\/\/www.retarus.com\/blog\/en\/author\/thomasc\/"}]}},"_links":{"self":[{"href":"https:\/\/www.retarus.com\/blog\/en\/wp-json\/wp\/v2\/posts\/6648"}],"collection":[{"href":"https:\/\/www.retarus.com\/blog\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.retarus.com\/blog\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.retarus.com\/blog\/en\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/www.retarus.com\/blog\/en\/wp-json\/wp\/v2\/comments?post=6648"}],"version-history":[{"count":8,"href":"https:\/\/www.retarus.com\/blog\/en\/wp-json\/wp\/v2\/posts\/6648\/revisions"}],"predecessor-version":[{"id":10460,"href":"https:\/\/www.retarus.com\/blog\/en\/wp-json\/wp\/v2\/posts\/6648\/revisions\/10460"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.retarus.com\/blog\/en\/wp-json\/wp\/v2\/media\/10077"}],"wp:attachment":[{"href":"https:\/\/www.retarus.com\/blog\/en\/wp-json\/wp\/v2\/media?parent=6648"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.retarus.com\/blog\/en\/wp-json\/wp\/v2\/categories?post=6648"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.retarus.com\/blog\/en\/wp-json\/wp\/v2\/tags?post=6648"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}