The
Sophos Rapid Response team recently investigated an incident where the Squirrelwaffle malware loader was used in conjunction with the
ProxyLogon and
ProxyShell exploits to target an unpatched Microsoft Exchange server. The attackers leveraged the vulnerable server to mass distribute Squirrelwaffle to both internal and external recipients by inserting malicious replies into employees’ existing email threads (known as email thread hijacking.)
Sophos has encountered this approach before, but, on this occasion, there was also something new going on. The incident investigators discovered that while the malicious spam campaign was being implemented, the same vulnerable server was also used for a financial fraud attack using knowledge extracted from a stolen email thread.
