Cybersecurity Threat Advisory: Global Microsoft Exchange Attack
Barracuda Networks, June 27,2025
A recent cyber campaign has compromised over 70 Microsoft Exchange servers across 26 countries by injecting JavaScript-based keyloggers into Outlook Web Access (OWA) login pages.
Review the details of this Cybersecurity Threat Advisory to safeguard against these vulnerabilities.
What is the threat?
This campaign, active since at least 2021, targets Microsoft Exchange servers with OWA enabled. Hackers inject malicious JavaScript-based keyloggers into the OWA login pages to capture usernames and passwords as users log in. The stolen credentials are either stored locally on the server or exfiltrated using DNS tunnels or Telegram bots. The campaign primarily targets government agencies, IT firms, and industrial sectors by exploiting unpatched Exchange vulnerabilities. Its stealthy nature and low detection rate make immediate patching, script auditing, and traffic monitoring critical for defense.