Play ransomware bypasses Microsoft’s ProxyNotShell mitigations

Play ransomware bypasses Microsoft’s ProxyNotShell mitigations

Operators behind the Play ransomware are now using a new exploit chain that bypasses ProxyNotShell mitigations to achieve remote code execution on vulnerable servers through Outlook Web Access (OWA).

The exploit, dubbed “OWASSRF,” was discovered by researchers with cybersecurity firm CrowdStrike while investigating several Play ransomware incidents that involved compromised Microsoft Exchange servers.

ProxyNotShell is a moniker for a set of two high-severity Microsoft Exchange vulnerabilities (CVE-2022-41082 and CVE-2022-41040) that have been exploited in hacker attacks linked to a China-based threat actor. CVE-2022-41082 is a code injection issue that allows a remote user with access to PowerShell Remoting execute arbitrary code on vulnerable Exchange systems, while CVE-2022-41040 allows a remote attacker to perform SSRF attacks. Both bugs were fixed as part of Microsoft’s November 2022 Patch Tuesday release.

The new exploit chain spotted by CrowdStrike involves a SSRF equivalent to the Autodiscover technique and the exploit used in the second step of ProxyNotShell. After gaining initial access the threat actor used legitimate Plink and AnyDesk executables to maintain access, and performed anti-forensics techniques on the Microsoft Exchange server in an attempt to fly under radar.

To execute arbitrary commands on hackers servers, the threat actor used Remote PowerShell to exploit the CVE-2022-41082 vulnerability.

“In each case, CrowdStrike reviewed the relevant logs and determined there was no evidence of exploitation of CVE-2022-41040 for initial access," the researchers  explained. “Instead, it appeared that corresponding requests were made directly through the Outlook Web Application (OWA) endpoint, indicating a previously undisclosed exploit method for Exchange.”

The researchers said that the second flaw abused by OWASSRF is likely CVE-2022-41080, a vulnerability that allows a remote user to escalate privileges on a vulnerable Microsoft Exchange server.

“Organizations should apply the November 8, 2022 patches for Exchange to prevent exploitation since the URL rewrite mitigations for ProxyNotShell are not effective against this exploit method,” the researchers advised.


Back to the list

Latest Posts

Cyber Security Week in Review: May 9, 2025

Cyber Security Week in Review: May 9, 2025

In brief: SAP zero-day exploited by Chinese hackers, SonicWall patches bugs in its SMA appliances, and more.
9 May 2025
Russia-linked Coldriver hackers deploy new espionage malware in targeted attacks

Russia-linked Coldriver hackers deploy new espionage malware in targeted attacks

LOSTKEYS is designed to steal sensitive files, harvest system information, and exfiltrate details about running processes.
8 May 2025
Russia-aligned operation manipulates audio and images to impersonate experts

Russia-aligned operation manipulates audio and images to impersonate experts

The operation primarily focused on undermining NATO support for Ukraine and spreading false narratives to disrupt domestic politics in EU member states.
7 May 2025