Get Help Now

Get expert threat analysis weekly. Sign up to receive our Threat Briefing:


    Date: 9/29/2022


    Possible Microsoft Exchange Zero-Day Vulnerability Exploitation


    The SOC team at GTSC, a Vietnamese cybersecurity organization, reports that a Chinese threat actor group is exploiting a ProxyShell-like Zero Day vulnerability affecting on-premises Microsoft Exchange servers. The referenced Indicators of Compromise are very similar to ProxyShell exploits from March and August of 2021. Attackers have been observed dropping webshells and other malicious software on vulnerable servers.

    GTSC has submitted the vulnerability to the Zero Day Initiative (ZDI) and is working with Microsoft to accelerate patch release.

    Potential Impact

    If this exploit is verified as a zero-day exploit on fully patched Microsoft Exchange servers, it is potentially quite disruptive. ProxyShell exploitation has been a favorite of ransomware threat actor groups since the disclosure of Microsoft Exchange vulnerabilities CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 in May of 2021.

    Recommended Actions

    Though Microsoft has not released a patch for this vulnerability, there is a known workaround that will block exploitation attempts. This includes adding a new IIS Exchange Server rule with the URL rewrite module. Steps are as follows:

    • Within IIS for the FrontEnd Autodiscover site, select an option to add a request blocking rule.
    • Ensure that the rule will block access based on “URL Path”.
    • Add the string “.*autodiscover.json.*@.*Powershell.*” (without quotes).
    • Ensure that the rule is using regular expressions.
    • For the condition input, select {REQUEST_URI}.

    Please note this mitigation is not confirmed, however it will block the known indicator of attacker activity. Administrators should pay very close attention to incoming traffic to on-premises Microsoft Exchange servers for potential signs of compromise. Additionally, paying close attention to the future directions from Microsoft are imperative to securing servers.

    Request Consultation

    For more information, fill out the form below and we will be in touch shortly

      Number of Employees - select one:
      Industry - select one:

      For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

      For non-strategic clients, please reach out to your Advisor for further discussion.

      For those not yet clients of GreyCastle Security, please click the “Contact Us” button below and we’ll be glad to provide assistance as well as answer any questions you might have.

      Let’s Discuss Your Cybersecurity Needs

      Contact Us  
      Privacy Settings
      We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
      Consent to display content from - Youtube
      Consent to display content from - Vimeo
      Google Maps
      Consent to display content from - Google
      Consent to display content from - Spotify
      Sound Cloud
      Consent to display content from - Sound
      Contact Us