Microsoft Warns of Exchange Zero-Day Flaw Exploited in Attacks

Microsoft has issued an advisory warning of an actively exploited zero-day vulnerability in Exchange Server that allows threat actors to execute arbitrary code through a cross-site scripting (XSS) flaw targeting Outlook on the web users. The company shared mitigations while a full patch remains in development.

Vulnerability Overview

The high-severity flaw resides in Exchange Server's Outlook Web Access (OWA) interface. Successful exploitation enables attackers to execute arbitrary code in the context of a victim's browser session — potentially allowing account takeover, credential theft, and lateral movement within Exchange-connected environments.

Key details:

• Attack vector: Cross-site scripting (XSS) via a crafted email or link
• Severity: High
• Exploitation status: Actively exploited in the wild
• Affected component: Outlook on the web (OWA)

Active Exploitation

Microsoft confirmed this vulnerability is being exploited in ongoing attacks. The XSS nature of the bug means that simply viewing a malicious email or clicking an attacker-controlled link within OWA could trigger code execution without further user interaction.

Given Exchange Server's role as critical communication infrastructure across enterprises, the risk of credential harvesting and further network compromise is elevated.

Mitigations Available

While a full patch was not immediately available, Microsoft provided mitigations for organizations to deploy immediately:

1. Restrict access to OWA to internal networks or VPN-only until patching is complete
2. Enable multi-factor authentication (MFA) on all Exchange-connected accounts to limit the impact of credential compromise
3. Review mail flow rules and monitor for anomalous forwarding or access patterns
4. Apply Microsoft's published workarounds from the official advisory

Recommended Actions

Organizations running Exchange Server should:

• Monitor the Microsoft Security Response Center for patch availability and apply it immediately upon release
• Audit OWA access logs for suspicious activity dating back at least 30 days
• Deploy email security controls (DMARC, DKIM, DMARC enforcement) to reduce phishing delivery surface
• Alert security teams to elevated Exchange-related incidents while the vulnerability remains unpatched

Broader Context

Exchange Server zero-days have historically been among the most impactful enterprise vulnerabilities, as Exchange is deeply integrated with Active Directory and organizational communications. Incidents like ProxyLogon and ProxyShell demonstrated how quickly mass exploitation follows public disclosure.

The active exploitation of this flaw before a full patch is available underscores the need for defense-in-depth approaches — particularly for organizations that cannot restrict OWA access immediately.

Source: BleepingComputer