In its latest research, cybersecurity solutions firm Sophos found that the Squirrelwaffle malware loader was used together with the ProxyLogon and ProxyShell exploits to target an unpatched Microsoft Exchange server. This strategy mass distributes Squirrelwaffle to internal and external recipients by inserting malicious replies onto employees’ existing email threads.

Sophos researchers also discovered that while the malicious spam campaign was being implemented, the same vulnerable server was used for a financial fraud attack with knowledge extracted from a stolen email thread and “typo-squatting” to convince an employee to redirect a legitimate customer transaction to the attackers.

“The fraud almost succeeded,” Sophos said.

Sophos discovers Gootloader mothership controls malicious content
Sophos discovers variant of Tor2Mine cryptominer difficult to remove

The transfer of funds to the malicious recipient was authorized, but luckily a bank became suspicious and prevented the transaction from going through.

“In a typical Squirrelwaffle attack leveraging a vulnerable Exchange server, the attack ends when defenders detect and remediate the breach by patching the vulnerabilities, removing the attacker’s ability to send emails through the server,” said Matthew Everts, an analyst at Sophos Rapid Response. “The incident investigated by Sophos Rapid Response, such remediation wouldn’t have stopped the financial fraud attack because the attackers had exported an email thread about customer payments from the victim’s Exchange server.”

Everts also said it is a good reminder that patching alone isn’t always enough protection.

“For example, in the case of vulnerable Exchange servers, you need to check that the attackers haven’t left behind a web shell to maintain access,” he said. “When it comes to sophisticated social engineering attacks such as those used in email thread hijacking, educating employees about what to look out for and how to report it is critical for detection.”