Facepalm: Keylogging malware is a particularly dangerous threat, as it is typically designed to capture login credentials or other sensitive data from users. When you add a compromised Exchange server to the mix, it creates an even nastier situation for any organization.

Researchers from Positive Technologies recently unveiled a new study on a keylogger-based campaign targeting organizations worldwide. The campaign, which resembles a similar attack discovered in 2024, focuses on compromised Microsoft Exchange Server installations belonging to 65 victims across 26 countries.

The cybercriminals compromised Exchange servers either by exploiting well-known security vulnerabilities or through completely unknown methods. After gaining access, the hackers deployed JavaScript keyloggers designed to intercept login credentials from the organization’s Outlook on the Web page.

OWA serves as the web version of Microsoft Outlook and is part of both the Exchange Server platform and the Exchange Online service within Microsoft 365. According to the study, the JavaScript keyloggers provided the attackers with persistence on the compromised servers and remained undetected for months.

The researchers discovered several keyloggers, classifying them into two main types: those designed to write captured inputs to a file on the local server – accessible from the internet at a later date – and those that sent stolen credentials over the global network via DNS tunnels or Telegram bots. The files containing the logged data were properly marked to make it easier for cybercriminals to identify the compromised organization.

The majority of compromised Exchange servers belonged to government organizations, PT researchers explained. Other victims operated in sectors such as IT, industrial, and logistics. Most infections were discovered in Russia, Vietnam, and Taiwan, with nine compromised companies located in Russia alone.

The researchers highlighted that large numbers of Exchange servers remain vulnerable to long-known security flaws. Companies should treat security vulnerabilities as critical issues by establishing proper vulnerability management processes, the PT experts advised.

Furthermore, organizations using the Microsoft platform should deploy modern web applications and protection systems to detect malicious network activity. Regularly scanning files related to user authentication for potentially malicious code can also be a useful practice.