Nimblr have registered multiple malicious emails linked to new vulnerabilities in Microsoft Exchange. The weaknesses were first revealed in a blog by Vietnamese cybersecurity company GTSC, and are now refered to as CVE-2022-41040 and CVE-2022-41082.
The new vulnerabilities can be used by attackers to access and extract email conversations between the affected organization’s employees and external parties. Nimblr have registered extensive use of stolen correspondence in malicious emails, linked to organizations where the exploits have been verified. The malicious emails contains the conversation from a real email exchange between two or more parties, including an additional comment and a malicious URL in the top of the email. The sender name is taken from the original email, but are sent from random email adresses using correct SPF and DKIM configuration.
In the example above, the attacker extracted sender and recipient addresses, targeting one of them with the new a malicious email that contains information from a previous conversation.
In addition to the use of stolen correspondence in malicious emails, Nimblr expects an increase in the volume of password phishing from attackers looking to exploit the new vulnerabilities as authenticated access to the Exchange Server is necessary to successfully exploit the weaknesses.
-Using the stolen content in malicious email campaigns makes it easier to trick the recipients, and you should probably inform your end users about this type of attacks, but I’d probably be even more worried about the data breach in itself. Confidential email content from a number of big organisations have been extracted by criminals over the last couple of days, says Rikard Zetterberg, CTO of Nimblr.
The new vulnerabilities impact on-premise Microsoft Exchange Server 2013, 2016, and 2019. Microsoft has not yet declared when patches would become available but are working on a fix “on an accelerated timeline”. More details and suggested mitigation can be found here: https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
Nimblr, offering Security Awareness Training, is publishing a new Zero-Day-Class “Stolen correspondence” to warn and educate its customers´ end-users on the current Malicious email campaign.