~/f4n6 $ grep -r "Microsoft patches Exchange Server zero-day exploited in attacks" ./investigations/ --include="*.md"

Microsoft patches Exchange Server zero-day exploited in attacks

Jeff Davies 10 Jun 2026 5 min read

1. Executive summary

Microsoft has released security updates addressing CVE-2026-42897, a high-severity Cross-Site Scripting (XSS) vulnerability in Microsoft Exchange Server that is currently being actively exploited in the wild. The flaw allows unauthenticated remote attackers to execute arbitrary JavaScript in the browser context of users accessing Outlook Web Access (OWA) via specially crafted emails. This advisory impacts all EMEA financial services institutions operating on-premises Exchange Server 2016, 2019, or Subscription Edition (SE). Immediate patching is required under DORA Article 17 and CISA BOD 22-01 mandates, as the vulnerability enables client-side compromise which can serve as an initial access vector for broader network intrusion.

2. Regulatory framing

Regulation Article / Directive Practical Impact for EMEA Financial Services
DORA Art. 17 (Management of ICT Risk) Mandates immediate implementation of the June 2026 Security Updates to address the identified vulnerability. Failure to patch an actively exploited zero-day constitutes a failure in "protection and prevention" controls.
DORA Art. 19 (Reporting of Major Incidents) If exploitation results in unauthorized data access or service disruption, this triggers major incident reporting thresholds within 24 hours.
DORA Art. 28-30 (Digital Operational Resilience Testing) Requires validation that existing EDR/SIW rules detect the specific XSS payload delivery or subsequent lateral movement attempts associated with this campaign.
NIS2 Art. 21(2)(d) Requires implementation of policies for vulnerability handling; the active exploitation status elevates this to a critical priority for essential entities.
NIS2 Art. 23 Mandates supply chain risk management; third-party providers managing Exchange environments must be verified as patched.
CISA BOD 22-01 (For US-linked entities/operations) Required remediation date was 2026-05-29; organizations are now out of compliance and must remediate immediately.

3. Technical analysis & attack chain

Vulnerability Mechanism

CVE-2026-42897 is a stored/reflected Cross-Site Scripting (XSS) vulnerability located within the web page generation logic of Outlook Web Access (OWA). The vulnerability arises when Exchange Server fails to properly sanitize input during the rendering of email content. When specific interaction conditions are met, the server allows arbitrary JavaScript to be injected and executed within the security context of the authenticated user's browser session.

Confirmed Attack Chain

  1. Initial Access: An unauthenticated threat actor sends a specially crafted email containing malicious JavaScript payload to a target mailbox hosted on a vulnerable Exchange Server.
  2. Trigger: The target user opens the malicious email using Outlook Web Access (OWA). Note: The native Outlook desktop client is not the primary vector described, though OWA access via other clients may vary.
  3. Execution: Upon rendering the email, the Exchange Server processes the unsanitized input, causing the embedded JavaScript to execute in the victim's browser context.
  4. Impact: The script runs with the privileges of the logged-in user. While the source material does not detail the specific post-exploitation payload (e.g., credential harvesting, session cookie theft, or redirection), arbitrary JS execution typically enables:
    • Theft of OWA session tokens.
    • Phishing overlays (fake login prompts).
    • Lateral movement via mailbox enumeration.

Affected Versions

  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019
  • Microsoft Exchange Server Subscription Edition (SE)

Uncertainty & Unconfirmed Attribution

  • Attribution: No specific threat actor group has been publicly attributed to this campaign in the provided sources.
  • Payload Specifics: The source material confirms "arbitrary JavaScript" execution but does not provide the specific JS code, C2 domains, or secondary malware droppers used in observed incidents.
  • Scope: While CISA notes that 14 of 20 recent Exchange vulns were used by ransomware gangs, it is currently unknown if this specific CVE is being leveraged for ransomware pre-positioning or solely for espionage/phishing.

4. Mitigation & containment

Priority 1: Immediate (Within 24 Hours)

  • Patch Deployment: Install the June 2026 Security Updates for Exchange Server 2016, 2019, and SE immediately.
    • Action: Run the Exchange Setup executable with the /Mode:Upgrade flag or utilize Windows Update if configured for Exchange.
  • Verify EEMS Mitigation: Microsoft previously deployed an automatic temporary mitigation via the Exchange Emergency Mitigation Service (EEMS).
    • Action: Verify the mitigation is active. Do not disable the EEMS mitigation even after patching; Microsoft advises keeping it as a defense-in-depth layer.
    • Command: Check mitigation status via Exchange Management Shell: Get-ExchangeEmergencyMitigationService (verify service is running and mitigations applied).

Priority 2: Short-term (Within 72 Hours)

  • User Awareness: Issue an advisory to all staff warning against opening unexpected emails in OWA until patch levels are verified across the fleet. Advise users to report any unusual pop-ups or redirect behavior within OWA.
  • Session Revocation: For high-value targets (C-suite, Finance, Admins) who may have accessed OWA in the last 14 days (since ~May 29), force a password reset and revoke active OWA authentication cookies to invalidate potentially stolen session tokens.

Priority 3: Medium-term (Within 7 Days)

  • Hardening Review: Revisit the October joint guidance from CISA/NSA on Exchange hardening, specifically regarding network segmentation of Exchange servers and disabling legacy authentication protocols if not already done.
  • Log Analysis: Review IIS logs and Exchange HTTP logs for anomalies in OWA virtual directories (/owa, /ecp) correlating to the timeframe of known exploitation (mid-May 2026 onwards).

5. Indicators of compromise

No specific file hashes, IP addresses, or domains associated with the active exploitation of CVE-2026-42897 were provided in the source material. The indicator landscape is currently limited to the vulnerability signature itself.

# No specific IOCs (hashes, IPs, domains) available in the source material.
# Detection should focus on the vulnerability pattern and anomalous OWA activity.

6. Detection

Given the lack of specific malware hashes or C2 infrastructure in the sources, detection must focus on the behavioral pattern of XSS delivery via email and anomalous OWA usage.

YARA Rule

Note: As no specific malicious string or file payload was disclosed in the sources, a file-based YARA rule cannot be constructed without fabrication. Detection should rely on Sigma rules monitoring for the behavior.

Sigma Rule (Web/Proxy Logs)

This rule detects potential XSS payload delivery attempts targeting OWA paths. It looks for common JavaScript event handlers or tags within HTTP POST/GET requests to OWA endpoints.

title: Potential Exchange OWA XSS Attempt via HTTP
id: 8a9b2c3d-4e5f-6789-0123-456789abcdef
status: experimental
description: Detects HTTP requests containing JavaScript payload characteristics targeting Outlook Web Access (OWA) paths, relevant to CVE-2026-42897.
author: Adverse Trace
date: 2026-06-10
references:

    - https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-exchange-server-zero-day-exploited-in-attacks/
    - https://nvd.nist.gov/vuln/detail/CVE-2026-42897
logsource:
    category: webserver
    service: iis
detection:
    selection_owa_path:
        c-uri|contains:

            - '/owa/'
            - '/ecp/'
    selection_js_payload:
        c-uri|contains|all:

            - '<script'
            - 'javascript:'
        c-uri|contains:

            - 'onerror='
            - 'onload='
            - 'onclick='
            - 'eval('
            - 'document.cookie'
    condition: selection_owa_path and selection_js_payload
falsepositives:

    - Legitimate internal testing of XSS filters
    - Malformed email content rendering in logs (if logged)
level: high
tags:

    - attack.initial_access
    - attack.t1566
    - cve.2026.42897

Sigma Rule (Process/Email)

Detects the receipt of emails with suspicious HTML/JS content if email gateway logs are ingested.

title: Suspicious Email Content Targeting OWA Users
id: 7b8c9d0e-1f2a-3b4c-5d6e-7f8a9b0c1d2e
status: experimental
description: Identifies emails containing script tags potentially aimed at exploiting CVE-2026-42897 in Exchange.
author: Adverse Trace
date: 2026-06-10
references:

    - https://nvd.nist.gov/vuln/detail/CVE-2026-42897
logsource:
    category: email
    product: exchange
    service: message_tracking
detection:
    selection:
        MessageBody|contains:

            - '<script>'
            - '<script '
            - 'javascript:'
        RecipientAddress|exists: true
    condition: selection
falsepositives:

    - Legitimate code snippets in developer communications
level: medium
tags:

    - attack.t1566.001
    - cve.2026.42897

7. Sources

  • BleepingComputer, "Microsoft patches Exchange Server zero-day exploited in attacks", 2026-06-10, https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-exchange-server-zero-day-exploited-in-attacks/
  • CISA, "Known Exploited Vulnerabilities — CVE-2026-42897", https://nvd.nist.gov/vuln/detail/CVE-2026-42897
  • CrowdStrike, "June 2026 Patch Tuesday: Microsoft Patches 206 Vulnerabilities Including Three Publicly Disclosed Zero-Days", https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-june-2026/

8. Adverse Trace position

We assess the severity of CVE-2026-42897 as Critical due to confirmed active exploitation and the low barrier to entry (no user privileges required, only user interaction). For EMEA financial services, the risk is acute as successful exploitation bypasses network perimeter defenses by leveraging trusted OWA sessions to harvest credentials or pivot internally. The presence of this vulnerability in the CISA KEV catalog with an expired remediation deadline underscores the urgency. We expect threat actors to rapidly integrate this vector into phishing campaigns targeting finance sectors. Clients must prioritize the June 2026 patch deployment immediately and maintain the EEMS mitigation layer. Adverse Trace will continue to monitor for specific IOCs and TTPs associated with post-exploitation activities stemming from this vulnerability.

Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.

Post this to LinkedIn
Formatting is converted automatically — headings, bullets, a link back & hashtags. Paste straight in.
J
Jeff Davies