Abnormal activity on Microsoft Exchange servers was detected in January 2021. In particular, an attacker exploiting a manually compromised vulnerability (SSRF) on Microsoft Exchange servers (CVE-2021-26855) could steal the full contents of a single user mailbox. This vulnerability can be exploited remotely and does not require authentication of any kind, nor does it require special knowledge or access to a destination environment. The attacker only needs to know the server running Exchange and the account from which he wants to extract e-mail.

This vulnerability has been confirmed in both the latest version of Exchange 2016 (on a fully updated Windows Server 2016 server) and Exchange 2019 (without being tested on a fully updated version). It should also be noted that the vulnerability does not appear to affect Office 365.

More information on the identified vulnerabilities and Indicators of Compromise (IoC) can be found at https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/

Source: https://www.volexity.com