{"id":44012,"date":"2021-11-18T23:03:26","date_gmt":"2021-11-18T23:03:26","guid":{"rendered":"https:\/\/www.darkreading.com\/attacks-breaches\/attackers-now-exploiting-proxyshell-exchange-server-flaws-for-business-email-compromise"},"modified":"2021-11-18T23:03:26","modified_gmt":"2021-11-18T23:03:26","slug":"microsoft-exchange-server-flaws-now-exploited-for-bec-attacks","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-server-flaws-now-exploited-for-bec-attacks\/","title":{"rendered":"Microsoft Exchange Server Flaws Now Exploited for BEC Attacks"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt8fcf5db289c785b1\/6196d94d6e8d61565f243a12\/exchange_monticello_shutterstock.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p>Threat actors are using a couple of dangerous, new tactics to exploit the so-called ProxyShell set of vulnerabilities in on-premises Exchange Servers that Microsoft patched earlier this year \u2014 and were the targets of widespread attacks in July.<\/p>\n<p>In multiple recent incident response engagements, Mandiant&nbsp;researchers found attackers had abused ProxyShell to drop Web shells on vulnerable systems in a different \u2014 and more difficult to detect \u2014 manner than used in previous attacks. In some attacks, threat actors skipped Web shells entirely and instead created their own hidden, privileged mailboxes, giving them the ability to take over accounts and create other problems.&nbsp;<\/p>\n<p>As many as 30,000 Internet-facing Exchange Servers remain vulnerable to these attacks because they have not been patched, <a href=\"https:\/\/www.mandiant.com\/resources\/change-tactics-proxyshell-vulnerabilities\" target=\"_blank\" rel=\"noopener\">Mandiant said<\/a>.<\/p>\n<p><strong>ProxyShell 101<\/strong><br \/>ProxyShell is a set of three vulnerabilities in Exchange Server: <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-34473\" target=\"_blank\" rel=\"noopener\">CVE-2021-34473<\/a>, a critical remote code execution vulnerability that requires no user action or privileges to exploit; <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-34523\" target=\"_blank\" rel=\"noopener\">CVE-2021-34523<\/a>, a post-authentication elevation of privilege vulnerability; and <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/en-US\/vulnerability\/CVE-2021-31207\" target=\"_blank\" rel=\"noopener\">CVE-2021-31207<\/a>, a medium severity post-authentication flaw that gives attackers a way to gain administrative access on vulnerable systems. The vulnerabilities exist in multiple versions of Exchange Server 2013, 2016, and 2019.<\/p>\n<p>Microsoft patched the flaws in April and May but did not assign CVEs or disclose the patches until July. In August, the US Cybersecurity and Infrastructure Security Agency (CISA) <a href=\"https:\/\/www.darkreading.com\/attacks-breaches\/cisa-warns-of-ongoing-attacks-targeting-proxyshell-vulnerabilities\" target=\"_blank\" rel=\"noopener\">warned of attackers<\/a> chaining together the three flaws to exploit vulnerable Exchange Servers.&nbsp;<\/p>\n<p>Security vendors reported threat actors as exploiting the flaws mainly to deploy Web shells on Exchange Servers that they could use in future attacks. An analysis by <a href=\"https:\/\/www.huntress.com\/blog\/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit\" target=\"_blank\" rel=\"noopener\">Huntress Labs<\/a> found the most common Web shell that attackers deployed was XSL Transform. Other common Web shells included Encrypted Reflected Assembly Loader, Comment Separation and Obfuscation of the &#8220;unsafe&#8221; Keyword, Jscript Base64 Encoding and Character Typecasting, and Arbitrary File Uploader.<\/p>\n<p>Joshua Goddard, a consultant with Mandiant\u2019s incident response team, says attackers that exploited ProxyShell initially dropped Web shells via mailbox export requests. &#8220;<\/p>\n<p>Those Web shells could be used to remotely access Exchange servers and further compromise organizations, like deploying ransomware onto devices,&#8221; he says.<\/p>\n<p>But antivirus and endpoint detection and response (EDR) vendors were quick to build detections for Web shells created via mailbox export. That is likely what pushed attackers to look for new avenues for taking advantage of Exchange Server systems that are still unpatched against ProxyShell, Goddard says.&nbsp;<\/p>\n<p>The tactic that attackers are now using is to export Web shells from the certificate store. <\/p>\n<p>&#8220;Web shells created by this means do not have the same file structure as those created by mailbox export, so attackers have had some success with this since not all security tools have appropriate detections in place,&#8221; Goddard notes.<\/p>\n<p>Mandiant researchers also observed ProxyShell attacks where threat actors did not deploy Web shells but instead created highly privileged mailboxes that were hidden from the address list. They assigned these mailboxes with permissions to other accounts, then logged in via the Web client to browse or steal data.<\/p>\n<p>&#8220;This is the most significant change in tactics,&#8221; Goddard says. &#8220;Attackers are using ProxyShell vulnerabilities to achieve business email compromise [BEC] by interfacing with the Exchange services exclusively, instead of the operating systems hosting them,&#8221; as is the case when dropping Web shells.&nbsp;<\/p>\n<p>Attackers with this kind of access could potentially launch phishing attacks against other entities using the victim organization&#8217;s email infrastructure, he warns. Since no malicious files are dropped to disk, it becomes more difficult for organizations to detect these attacks.<\/p>\n<p><strong>Spate of Exchange Server Flaws<\/strong><br \/>Microsoft \u2014 and, by extension, its customers \u2014 has had its share of problems with Exchange Server flaws this year.&nbsp;<\/p>\n<p>The most notable was in March, when the company had to rush out emergency patches for a set of four vulnerabilities in the technology, collectively referred to as <a href=\"https:\/\/www.darkreading.com\/threat-intelligence\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\" target=\"_blank\" rel=\"noopener\">ProxyLogon<\/a>. The patches came after a Chinese threat group called Hafnium, and later others, were discovered actively exploiting the flaws in thousands of organizations. Concerns over the attacks were so high that a court authorized the FBI to take the unprecedented step of <a href=\"https:\/\/www.darkreading.com\/risk\/fbi-operation-remotely-removes-web-shells-from-exchange-servers\/d\/d-id\/1340679\" target=\"_blank\" rel=\"noopener\">removing the Web shells<\/a> that attackers had dropped on systems belonging to hundreds of US organizations \u2014 without notifying them first.&nbsp;<\/p>\n<p>In September, researchers from Trend Micro reported finding <a href=\"https:\/\/www.darkreading.com\/vulnerabilities-threats\/-proxytoken-flaw-heightens-concerns-over-security-of-microsoft-exchange-server\" target=\"_blank\" rel=\"noopener\">ProxyToken<\/a>, another Exchange Server flaw that gave attackers a way to copy targeted emails or forward them to an attacker-controlled account. Through the year, Microsoft has disclosed other Exchange Server vulnerabilities of varying severity, including a zero-day threat (<a href=\"https:\/\/msrc.microsoft.com\/update-guide\/en-US\/vulnerability\/CVE-2021-42321\" target=\"_blank\" rel=\"noopener\">CVE-2021-42321<\/a>) that the company addressed in its November security update.<\/p>\n<p>Goddard says at least some of the 30,000 systems that show up as vulnerable to ProxyShell are likely honeypots; however, a large number are not. <\/p>\n<p>&#8220;Organizations that patched early may be safe, but organizations that haven\u2019t patched yet and have their servers Internet-facing are at significant risk,&#8221; he warns. <\/p>\n<p>Organizations that were unpatched for any amount of time since the vulnerabilities were disclosed should conduct a review into any unknown files on the servers, mailbox accounts, and mailbox permissions, he says.<\/p>\n<p>&#8220;Organizations need to detect and validate newly created files outside of change windows and have visibility on configuration changes to their Exchange infrastructure, which should be linked to defined change requests,&#8221; Goddard says.<\/p>\n<p>Read More <a href=\"https:\/\/www.darkreading.com\/attacks-breaches\/attackers-now-exploiting-proxyshell-exchange-server-flaws-for-business-email-compromise\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Attackers also are deploying ProxyShell and abusing the vulnerabilities in stealthier manner, researchers say.Read More <a href=\"https:\/\/www.darkreading.com\/attacks-breaches\/attackers-now-exploiting-proxyshell-exchange-server-flaws-for-business-email-compromise\">HERE<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[151],"tags":[],"class_list":["post-44012","post","type-post","status-publish","format-standard","hentry","category-darkreading-ti"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Microsoft Exchange Server Flaws Now Exploited for BEC Attacks 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-server-flaws-now-exploited-for-bec-attacks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Microsoft Exchange Server Flaws Now Exploited for BEC Attacks 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-server-flaws-now-exploited-for-bec-attacks\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-11-18T23:03:26+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt8fcf5db289c785b1\/6196d94d6e8d61565f243a12\/exchange_monticello_shutterstock.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-exchange-server-flaws-now-exploited-for-bec-attacks\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-exchange-server-flaws-now-exploited-for-bec-attacks\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Microsoft Exchange Server Flaws Now Exploited for BEC Attacks\",\"datePublished\":\"2021-11-18T23:03:26+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-exchange-server-flaws-now-exploited-for-bec-attacks\\\/\"},\"wordCount\":878,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-exchange-server-flaws-now-exploited-for-bec-attacks\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt8fcf5db289c785b1\\\/6196d94d6e8d61565f243a12\\\/exchange_monticello_shutterstock.jpg\",\"articleSection\":[\"DarkReading |TI\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-exchange-server-flaws-now-exploited-for-bec-attacks\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-exchange-server-flaws-now-exploited-for-bec-attacks\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-exchange-server-flaws-now-exploited-for-bec-attacks\\\/\",\"name\":\"Microsoft Exchange Server Flaws Now Exploited for BEC Attacks 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-exchange-server-flaws-now-exploited-for-bec-attacks\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-exchange-server-flaws-now-exploited-for-bec-attacks\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt8fcf5db289c785b1\\\/6196d94d6e8d61565f243a12\\\/exchange_monticello_shutterstock.jpg\",\"datePublished\":\"2021-11-18T23:03:26+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-exchange-server-flaws-now-exploited-for-bec-attacks\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-exchange-server-flaws-now-exploited-for-bec-attacks\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-exchange-server-flaws-now-exploited-for-bec-attacks\\\/#primaryimage\",\"url\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt8fcf5db289c785b1\\\/6196d94d6e8d61565f243a12\\\/exchange_monticello_shutterstock.jpg\",\"contentUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt8fcf5db289c785b1\\\/6196d94d6e8d61565f243a12\\\/exchange_monticello_shutterstock.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-exchange-server-flaws-now-exploited-for-bec-attacks\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Microsoft Exchange Server Flaws Now Exploited for BEC Attacks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Microsoft Exchange Server Flaws Now Exploited for BEC Attacks 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-server-flaws-now-exploited-for-bec-attacks\/","og_locale":"en_US","og_type":"article","og_title":"Microsoft Exchange Server Flaws Now Exploited for BEC Attacks 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-server-flaws-now-exploited-for-bec-attacks\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-11-18T23:03:26+00:00","og_image":[{"url":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt8fcf5db289c785b1\/6196d94d6e8d61565f243a12\/exchange_monticello_shutterstock.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-server-flaws-now-exploited-for-bec-attacks\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-server-flaws-now-exploited-for-bec-attacks\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Microsoft Exchange Server Flaws Now Exploited for BEC Attacks","datePublished":"2021-11-18T23:03:26+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-server-flaws-now-exploited-for-bec-attacks\/"},"wordCount":878,"commentCount":0,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-server-flaws-now-exploited-for-bec-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt8fcf5db289c785b1\/6196d94d6e8d61565f243a12\/exchange_monticello_shutterstock.jpg","articleSection":["DarkReading |TI"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.threatshub.org\/blog\/microsoft-exchange-server-flaws-now-exploited-for-bec-attacks\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-server-flaws-now-exploited-for-bec-attacks\/","url":"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-server-flaws-now-exploited-for-bec-attacks\/","name":"Microsoft Exchange Server Flaws Now Exploited for BEC Attacks 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-server-flaws-now-exploited-for-bec-attacks\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-server-flaws-now-exploited-for-bec-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt8fcf5db289c785b1\/6196d94d6e8d61565f243a12\/exchange_monticello_shutterstock.jpg","datePublished":"2021-11-18T23:03:26+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-server-flaws-now-exploited-for-bec-attacks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/microsoft-exchange-server-flaws-now-exploited-for-bec-attacks\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-server-flaws-now-exploited-for-bec-attacks\/#primaryimage","url":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt8fcf5db289c785b1\/6196d94d6e8d61565f243a12\/exchange_monticello_shutterstock.jpg","contentUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt8fcf5db289c785b1\/6196d94d6e8d61565f243a12\/exchange_monticello_shutterstock.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-server-flaws-now-exploited-for-bec-attacks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Microsoft Exchange Server Flaws Now Exploited for BEC Attacks"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/44012","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=44012"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/44012\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=44012"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=44012"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=44012"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}