In a striking revelation, cybersecurity researchers have discovered JavaScript-based keyloggers silently operating on Outlook Web Access (OWA) login pages of Microsoft Exchange servers. These keyloggers Found on Outlook have been actively capturing credentials from users across dozens of compromised organizations, including government entities and private-sector firms worldwide.
How the Attack Works
The attackers injected custom JavaScript into the OWA login page, hijacking the login function (clkLgn) to record usernames and passwords. In many cases, the malicious script also harvested user-agent data and cookies to support deeper compromise.
The stolen credentials were either stored in accessible files on the infected server, or exfiltrated directly via Telegram bots, Discord webhooks, or DNS tunneling, often tagged with identifiers unique to each victim organization.
Global Reach and Victims
Over 65 Exchange servers across 26 countries were found to be compromised. Victims include organizations from sectors such as:
- Government administration
- Information technology
- Industrial manufacturing
- Logistics and transportation
Researchers noted a concerning number of infections in countries like Vietnam, Russia, Taiwan, and even across Europe, the Middle East, and Africa.
How Did They Get In?
In many cases, the attackers exploited long-known vulnerabilities like:
- ProxyLogon (CVE-2021-26855)
- ProxyShell (CVE-2021-34473)
- SMBGhost (CVE-2020-0796)
However, researchers also observed instances where no known vulnerability could be tied to the intrusion, uggesting alternative, possibly novel methods of compromise.
Detection and Mitigation
To identify infections, security teams are urged to:
- Inspect OWA login page source code for unfamiliar JavaScript
- Use YARA rules published by the researchers to detect suspicious implants
- Conduct a thorough log analysis of authentication requests and file access patterns
- If compromise is confirmed:
- Immediately reset all user credentials
- Rebuild the Exchange environment or apply forensic remediation
- Monitor for lateral movement and secondary payloads
- Patch all exposed vulnerabilities and segment OWA access behind VPN or zero-trust models
Final Thoughts
All of these keyloggers Found on Outlook highlight a deeply concerning trend. Hacker can exploiut even legacy vulnerabilities for highly targeted, credential-stealing campaigns. Organizations running on-premises Exchange must treat externally accessible OWA portals as high-value assets, and protect them accordingly. Regular audits, continuous patching, and vigilant monitoring are no longer optional, they are essential.
