Threat actors are actively searching for the Microsoft Exchange ProxyShell critical vulnerabilities. The attacks began after cybersecurity researchers showed technical details of these problems at the Black Hat conference.

ProxyShell attacks involve the exploitation of three vulnerabilities that allows unauthenticated hackers to perform remote code execution on Microsoft Exchange servers. Vulnerabilities are exploited remotely through Microsoft Exchange's Client Access Service (CAS) running on port 443 in IIS.

The three ProxyShell vulnerabilities are CVE-2021-34473 (Pre-auth Path Confusion leads to ACL Bypass), CVE-2021-34523 (Elevation of Privilege on Exchange PowerShell Backend) and CVE-2021-31207 (Post-auth Arbitrary-File-Write leads to RCE). CVE-2021-34473 and CVE-2021-34523 were disclosed in July, but these problems were fixed earlier, in April's Microsoft Exchange KB5001779 cumulative update.

Security researcher Orange Tsai told at Black Hat about recent Microsoft Exchange vulnerabilities he discovered when targeting the Microsoft Exchange Client Access Service (CAS) attack surface. One of the parts of the ProxyShell attacks targets the Microsoft Exchange Autodiscover service, which helps mail client software to auto-configure itself with minimal interactions with the user.

Security researchers PeterJson and Jang published technical information about the successful reproduce of the ProxyShell exploit. Later researcher Kevin Beaumont told about hackers, that tried to attack his Microsoft Exchange honeypot against the server's Autodiscover service. Initial attempts failed, but then more details about the vulnerabilities were disclosed and attackers modified their scans to use the new Autodiscover URL. Accessing the URL will cause the ASP.NET worker process (w3wp.exe) to compile a web application.

It is highly recommended for administrators to use Azure Sentinel to check IIS logs for the "/autodiscover/autodiscover.json" or "/mapi/nspi/" strings. If they will find a targeted Autodiscover URL, it means that threat actors were looking for the vulnerable server. Microsoft Exchange admins must install the latest cumulative updates to protect systems from these vulnerabilities.

There are currently 400,000 Microsoft Exchange servers exposed on the Internet, so there are bound to be successful attacks.