Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/k\/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html\"><br \/>\n<meta property=\"og:title\" content=\"Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains\"><br \/>\n<meta property=\"og:description\" content=\"Squirrelwaffle is known for using the tactic of sending malicious spam as replies to existing email chains. We look into how by investigating its exploit of Microsoft Exchange Server vulnerabilities, ProxyLogon and ProxyShell.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/squirrelwaffle-exploits-proxyshell-and-proxylogon-vulnerabilities-in-microsoft-exchange-to-hijack-email-chains\/squirrelwaffle-exploits-proxyshell-and-proxylogon-microsoft-exchange-vulnerabilities-to-hijack-email-chains.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains\"><br \/>\n<meta name=\"twitter:description\" content=\"Squirrelwaffle is known for using the tactic of sending malicious spam as replies to existing email chains. We look into how by investigating its exploit of Microsoft Exchange Server vulnerabilities, ProxyLogon and ProxyShell.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/squirrelwaffle-exploits-proxyshell-and-proxylogon-vulnerabilities-in-microsoft-exchange-to-hijack-email-chains\/squirrelwaffle-exploits-proxyshell-and-proxylogon-microsoft-exchange-vulnerabilities-to-hijack-email-chains.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.373563218391\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"699895187\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"10.776523702032\">\n<div class=\"article-details\" role=\"heading\" readability=\"41.146726862302\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Exploits & Vulnerabilities<\/p>\n<p class=\"article-details__description\">Squirrelwaffle is known for using the tactic of sending malicious spam as replies to existing email chains. We look into how by investigating its exploit of Microsoft Exchange Server vulnerabilities, ProxyLogon and ProxyShell.<\/p>\n<p class=\"article-details__author-by\">By: Mohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar <time class=\"article-details__date\">November 19, 2021<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"48.830729166667\">\n<div readability=\"45.000868055556\">\n<p>In September, <a href=\"https:\/\/blog.talosintelligence.com\/2021\/10\/squirrelwaffle-emerges.html\" target=\"_blank\" rel=\"noopener\">Squirrelwaffle emerged<\/a> as a new loader that is spread through spam campaigns. It is known for sending its malicious emails as replies to preexisting email chains, a tactic that lowers a victim\u2019s guard against malicious activities. To be able to pull this off, we believe it involved the use of a chain of both ProxyLogon and ProxyShell exploits.<\/p>\n<p>The Trend Micro Incident Response team looked into several intrusions related to Squirrelwaffle, that happened in the Middle East. This led to a deeper investigation into the initial access of these attacks. We wanted to see if the attacks involved the said exploits.<\/p>\n<p>This comes from the fact that all of the intrusions we observed originated from on-premise Microsoft Exchange Servers that appeared to be vulnerable to ProxyLogon and ProxyShell. In this blog entry, we shed more light into these observed initial access techniques and the early phases of Squirrelwaffle campaigns.<\/p>\n<p><b><span class=\"body-subhead-title\">Microsoft Exchange infection<\/span><\/b><\/p>\n<p>We observed evidence of the exploits on the vulnerabilities <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-26855\" target=\"_blank\" rel=\"noopener\">CVE-2021-26855<\/a>, <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-34473\" target=\"_blank\" rel=\"noopener\">CVE-2021-34473<\/a>, and <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-34523\" target=\"_blank\" rel=\"noopener\">CVE-2021-34523<\/a> in the IIS Logs on three of the Exchange servers that were compromised in different intrusions. The same CVEs were used in ProxyLogon (CVE-2021-26855) and ProxyShell (CVE-2021-34473 and CVE-2021-34523) intrusions. Microsoft released a patch for ProxyLogon in <u><a href=\"https:\/\/msrc-blog.microsoft.com\/2021\/03\/05\/microsoft-exchange-server-vulnerabilities-mitigations-march-2021\/\" target=\"_blank\" rel=\"noopener\">March<\/a><\/u>; those who have applied the <u><a href=\"https:\/\/techcommunity.microsoft.com\/t5\/exchange-team-blog\/proxyshell-vulnerabilities-and-your-exchange-server\/ba-p\/2684705\" target=\"_blank\" rel=\"noopener\">May or July<\/a><\/u> updates are protected from ProxyShell vulnerabilities.<\/p>\n<h3><span class=\"body-subhead-title\"><span>CVE-2021-26855: the pre-authentication proxy vulnerability<\/span><\/span><\/h3>\n<p>This server-side request forgery (SSRF) vulnerability can allow a threat actor access by sending a specially crafted web request to an Exchange Server. The web request contains an XML payload directed at the Exchange Web Services (EWS) API endpoint.<\/p>\n<p>The request bypasses authentication using specially crafted cookies and allows an unauthenticated threat actor to execute EWS requests encoded in the XML payload then ultimately perform operations on victims\u2019 mailboxes.<\/p>\n<p>From our analysis of the IIS log, we saw that the threat actor uses a <a href=\"https:\/\/github.com\/Jumbo-WJB\/Exchange_SSRF\" target=\"_blank\" rel=\"noopener\">publicly available<\/a> exploit in its attack. This exploit gives a threat actor the ability to get users SID and emails. They can even search for and download a target\u2019s emails. Figures 1 to 3 highlights evidence from IIS logs and show the exploit code.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/squirrelwaffle-exploits-proxyshell-and-proxylogon-vulnerabilities-in-microsoft-exchange-to-hijack-email-chains\/figure%201%20exploit%20cve-2021-26855.png\" alt=\"Figure 1. Exploiting CVE-2021-26855, as seen in the IIS logs\"><figcaption>Figure 1. Exploiting CVE-2021-26855, as seen in the IIS logs<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>The logs (Figure 2 to 3) also show that threat actor used the ProxyLogon vulnerability to get this particular user\u2019s SID and emails to use them to send malicious spam. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/squirrelwaffle-exploits-proxyshell-and-proxylogon-vulnerabilities-in-microsoft-exchange-to-hijack-email-chains\/figure%202%20squirrelwaffle%20exchange%20exploit.png\" alt=\"Figure 2. The function responsible for getting the SID inside the exploit\"><figcaption>Figure 2. The function responsible for getting the SID inside the exploit<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/squirrelwaffle-exploits-proxyshell-and-proxylogon-vulnerabilities-in-microsoft-exchange-to-hijack-email-chains\/figure%203%20squirrelwaffle%20exchange%20exploit.png\" alt=\"Figure 3. The user agent used in the attack\"><figcaption>Figure 3. The user agent used in the attack<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<h3><span class=\"body-subhead-title\"><span>CVE-2021-34473: the pre-auth path confusion<\/span><\/span><\/h3>\n<p>This ProxyShell vulnerability abuses the URL normalization of the explicit Logon URL, wherein the logon email is removed from the URL if the suffix is autodiscover\/autodiscover.json. This grants arbitrary backend URL the same access as the Exchange machine account (NT AUTHORITY\\SYSTEM).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/squirrelwaffle-exploits-proxyshell-and-proxylogon-vulnerabilities-in-microsoft-exchange-to-hijack-email-chains\/figure%204%20squirrelwaffle%20exchange%20exploit.png\" alt=\"Figure 4. Exploiting CVE-2021-34473\"><figcaption>Figure 4. Exploiting CVE-2021-34473<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<h3><span class=\"body-subhead-title\"><span>CVE-2021-34523: Exchange PowerShell backend elevation-of-privilege<\/span><\/span><\/h3>\n<p>Exchange has a PowerShell remoting feature that can be used to read and send emails. It can\u2019t be used by NT AUTHORITY\\SYSTEM as it does not have a mailbox. However, in cases where it is accessed directly via the previous vulnerability, the backend\/PowerShell can be provided with X-Rps-CAT query string parameter. The backen\/PowerShell will be deserialized and used to restore user identity. It can therefore be used to impersonate a local administrator to run PowerShell commands.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/squirrelwaffle-exploits-proxyshell-and-proxylogon-vulnerabilities-in-microsoft-exchange-to-hijack-email-chains\/figure%205%20squirrelwaffle%20exchange%20exploit.png\" alt=\"Exploiting CVE-2021-34523 \"><figcaption>Figure 5. Exploiting CVE-2021-34523 <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/squirrelwaffle-exploits-proxyshell-and-proxylogon-vulnerabilities-in-microsoft-exchange-to-hijack-email-chains\/figure%206%20squirrelwaffle%20exchange%20exploit.png\" alt=\"malicious spam received by targets \"><figcaption>Figure 6. The malicious spam received by targets <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>With this, the attackers would be able to hijack legitimate email chains and send their malicious spam as replies to the said chains. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p><span class=\"body-subhead-title\">Malicious spam<\/span><\/p>\n<p>In one of the observed intrusions, all the internal users in the affected network received emails like similar to those shown in Figure 6, where the spam emails have been sent as legitimate replies to existing email threads. All of the observed emails were written in English for this spam campaign in the Middle East. While other languages were used in different regions, most were written in English. More notably, true account names from the victim\u2019s domain were used as sender and recipient, which raises the chance that a recipient will click the link and open the malicious Microsoft Excel spreadsheets.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/squirrelwaffle-exploits-proxyshell-and-proxylogon-vulnerabilities-in-microsoft-exchange-to-hijack-email-chains\/figure%207%20squirrelwaffle%20exchange%20exploit.png\" alt=\"Malicious spam via the MTA route \"><figcaption>Figure 7. Malicious spam via the MTA route <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>In the same intrusion, we analyzed the email headers for the received malicious emails, the mail path was internal (between the three internal exchange servers\u2019 mailboxes), indicating that the emails did not originate from an external sender, open mail relay, or any message transfer agent (MTA).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/squirrelwaffle-exploits-proxyshell-and-proxylogon-vulnerabilities-in-microsoft-exchange-to-hijack-email-chains\/figure%208%20squirrelwaffle%20exchange%20exploit.png\" alt=\"Malicious Microsoft Excel document \"><figcaption>Figure 8. Malicious Microsoft Excel document <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"40\">\n<div readability=\"25\">\n<p>Delivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail getaways will not be able to filter or quarantine any of these internal emails. The attacker also did not drop or use tools for lateral movement after gaining access to the vulnerable Exchange servers, so that no suspicious network activities will be detected. Additionally, no malware was executed on the Exchange servers that will trigger any alerts before the malicious email is spread across the environment.<\/p>\n<h2><b><span class=\"body-subhead-title\">The malicious Microsoft Excel file<\/span><\/b><\/h2>\n<p>The attacker exploited the Exchange servers to deliver internal mails. This was all done to catch users off-guard, making them more likely to click the link and open the dropped Microsoft Excel or Word file.<\/p>\n<p>Both links used in the malicious emails (aayomsolutions[.]co[.]in\/etiste\/quasnam[]-4966787 and aparnashealthfoundation[.]aayom.com\/quasisuscipit\/totamet[-]4966787 ) drop a ZIP file in the machine. The ZIP file contains, in this case, a malicious Microsoft Excel sheet that downloads and executes a malicious DLL related to Qbot.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/squirrelwaffle-exploits-proxyshell-and-proxylogon-vulnerabilities-in-microsoft-exchange-to-hijack-email-chains\/figure%209%20squirrelwaffle%20exchange%20exploit.png\" alt=\"Excel 4.0 Macros \"><figcaption>Figure 9. Excel 4.0 Macros <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>These sheets contain malicious Excel 4.0 macros that is responsible for downloading and executing the malicious DLL.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/squirrelwaffle-exploits-proxyshell-and-proxylogon-vulnerabilities-in-microsoft-exchange-to-hijack-email-chains\/figure%2010%20squirrelwaffle%20exchange%20exploit.png\" alt=\"Excel file infection chain\"><figcaption>Figure 10. Excel file infection chain<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>The spreadsheets download the DLL from hardcoded URLs which are hxxps:[\/\/]iperdesk.com\/JWqj8R2nt\/be.html, hxxps:[\/\/]arancal.com\/HgLCgCS3m\/be.html and hxxps:[\/\/]grandthum.co.in\/9Z6DH5h5g\/be.html.<\/p>\n<p>The DLL is dropped in C:\\Datop\\. Finally, the document executes the DLL using the following commands:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">C:\\Windows\\System32\\regsvr32.exe” C:\\Datop\\good.good<\/span><\/li>\n<li><span class=\"rte-red-bullet\">C:\\Windows\\System32\\regsvr32.exe” C:\\Datop\\good1.good<\/span><\/li>\n<li><span class=\"rte-red-bullet\">C:\\Windows\\System32\\regsvr32.exe” C:\\Datop\\good2.good<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/squirrelwaffle-exploits-proxyshell-and-proxylogon-vulnerabilities-in-microsoft-exchange-to-hijack-email-chains\/figure%2011%20squirrelwaffle%20exchange%20exploit.png\" alt=\"DLL infection flow\"><figcaption>Figure 11. DLL infection flow<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"41.546200109349\">\n<div readability=\"31.159650082012\">\n<p><b><span class=\"body-subhead-title\">Security recommendations<\/span><\/b><\/p>\n<p>As mentioned earlier, by exploiting ProxyLogon and ProxyShell attackers were able to bypass the usual checks that would have stopped the spread of malicious email. This highlights how users plays an important part in the success or failure of an attack. Squirrelwaffle campaigns should make users wary of the different tactics used to mask malicious emails and files. Emails that come from trusted contacts may not be enough of an indicator that whatever link or file included in the email is safe.<\/p>\n<p>It is important to ensure that patches for Microsoft Exchange Server vulnerabilities, specifically ProxyShell and ProxyLogon (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) have already been applied. Microsoft <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/exchange-team-blog\/proxyshell-vulnerabilities-and-your-exchange-server\/ba-p\/2684705\">reiterated<\/a><u>,<\/u> those who have applied their patch for ProxyLogon in <u><a href=\"https:\/\/msrc-blog.microsoft.com\/2021\/03\/05\/microsoft-exchange-server-vulnerabilities-mitigations-march-2021\/\">March<\/a><\/u> are not protected from ProxyShell vulnerabilities, and should install more recent (May or July) security updates.<\/p>\n<p>Here are other security best practices to consider:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><span class=\"rte-circle-bullet\"><span>Enable virtual patching modules on all Exchange servers to provide critical level protection for servers that have not yet been patched for these vulnerabilities.<\/span><\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><span class=\"rte-circle-bullet\"><span>Use <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/detection-response\/edr-endpoint-sensor.html\">endpoint detection and response (EDR) solutions<\/a> in critical servers, as it provides visibility to machine internals and detect any suspicious behavior running on servers.<\/span><\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><span class=\"rte-circle-bullet\"><span>Use endpoint protection design for servers.<\/span><\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><span class=\"rte-circle-bullet\"><span>Apply sandbox technology on email, network, and web is very imported to detect similar URLs and samples.<\/span><\/span><\/span><\/li>\n<\/ul>\n<p>Users can also opt to protect systems through <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/user-protection\/sps\/endpoint\/server-protect.html\">managed detection and response (MDR)<\/a>, which utilizes advanced artificial intelligence to correlate and prioritize threats, determining if they are part of a larger attack. It can detect threats before they are executed, preventing further compromise.<\/p>\n<p>The indicators of comromise (IOCs) can be found <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/squirrelwaffle-exploits-proxyshell-and-proxylogon-vulnerabilities-in-microsoft-exchange-to-hijack-email-chains\/IOCs-squirrelwaffle-exploits-proxyshell-and-proxylogon-microsoft-exchange-vulnerabilities-to-hijack-email-chains.txt\">here<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/k\/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Squirrelwaffle is known for using the tactic of sending malicious spam as replies to existing email chains. We look into how by investigating its exploit of Microsoft Exchange Server vulnerabilities, ProxyLogon and ProxyShell. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":44016,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9511,9555,9509,9585],"class_list":["post-44015","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-exploitsvulnerabilities","tag-trend-micro-research-research","tag-trend-micro-research-spam"],"yoast_head":"\n<title>Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-11-19T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/squirrelwaffle-exploits-proxyshell-and-proxylogon-vulnerabilities-in-microsoft-exchange-to-hijack-email-chains\/squirrelwaffle-exploits-proxyshell-and-proxylogon-microsoft-exchange-vulnerabilities-to-hijack-email-chains.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains\",\"datePublished\":\"2021-11-19T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains\\\/\"},\"wordCount\":1416,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/11\\\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Exploits&Vulnerabilities\",\"Trend Micro Research : Research\",\"Trend Micro Research : Spam\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains\\\/\",\"name\":\"Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/11\\\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains.png\",\"datePublished\":\"2021-11-19T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/11\\\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/11\\\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains.png\",\"width\":1449,\"height\":78},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains\/","og_locale":"en_US","og_type":"article","og_title":"Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-11-19T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/squirrelwaffle-exploits-proxyshell-and-proxylogon-vulnerabilities-in-microsoft-exchange-to-hijack-email-chains\/squirrelwaffle-exploits-proxyshell-and-proxylogon-microsoft-exchange-vulnerabilities-to-hijack-email-chains.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains","datePublished":"2021-11-19T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains\/"},"wordCount":1416,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/11\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Threats","Trend Micro Research : Exploits&Vulnerabilities","Trend Micro Research : Research","Trend Micro Research : Spam"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains\/","url":"https:\/\/www.threatshub.org\/blog\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains\/","name":"Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/11\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains.png","datePublished":"2021-11-19T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/11\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/11\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains.png","width":1449,"height":78},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/44015","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=44015"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/44015\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/44016"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=44015"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=44015"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=44015"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":44015,"date":"2021-11-19T00:00:00","date_gmt":"2021-11-19T00:00:00","guid":{"rendered":"urn:uuid:adf1d65e-1d83-abe8-5ae3-46c97e85e29e"},"modified":"2021-11-19T00:00:00","modified_gmt":"2021-11-19T00:00:00","slug":"squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/squirrelwaffle-exploits-proxyshell-and-proxylogon-to-hijack-email-chains\/","title":{"rendered":"Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains"},"content":{"rendered":"