A Five-Year Track Record of Exchange Exploitation
Over the last five years, the Cybersecurity and Infrastructure Security Agency (CISA) has added 19 distinct Microsoft Exchange Server vulnerabilities to its catalog of actively exploited flaws. Out of this alarming number, 14 have been directly linked to widespread ransomware attacks. This is not a series of isolated incidents. It represents a persistent, systemic targeting of on-premises email infrastructure by sophisticated threat actors.
These attackers, ranging from state-sponsored groups to cybercriminal ransomware affiliates, view Exchange servers as a high-value prize. A compromised Exchange server provides access to internal communications, sensitive documents, and often serves as a stepping stone into the broader corporate network. Understanding this pattern is the first step in building a resilient defense.
Anatomy of the Latest Threat
On Thursday, Microsoft disclosed a high-severity spoofing vulnerability tracked as CVE-2026-42897. This flaw allows an attacker to execute arbitrary code via cross-site scripting (XSS) by targeting Outlook on the Web (OWA) users. Microsoft describes the vulnerability as affecting up-to-date versions of Exchange Server 2016, Exchange Server 2019, and the newer Exchange Server Subscription Edition (SE).
The attack vector itself is clever in its simplicity. An attacker exploits this issue by sending a specially crafted email to a user. If that user opens the email in OWA and meets certain specific interaction conditions, arbitrary JavaScript can execute within the browser context. This can lead to session hijacking, data theft, and lateral movement within the organization’s email system.
The Technical Trigger
The vulnerability is categorized as a spoofing flaw, but its impact relies on persistent XSS. Once the malicious script runs in the user session, it essentially allows the attacker to borrow the identity and permissions of the victim. This is particularly dangerous for immediate account takeover and can lead to further compromise. Microsofts Exchange Team has emphasized that the Exchange Emergency Mitigation Service (EEMS) will provide automatic mitigation for on-premises servers running Exchange 2016, 2019, and SE.
Breaking Down the 5 Zero-Day Attacks
To truly grasp the current threat posture, it helps to view CVE-2026-42897 as the fifth major wave in a ongoing campaign against Exchange. Each of these five zero-day attacks has forced the security community to adapt its approach to exchange zero-day mitigations.
1. ProxyLogon (March 2021)
ProxyLogon was a watershed moment for Exchange security. This set of vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) allowed unauthenticated attackers to achieve full remote code execution on any vulnerable Exchange server. The fallout was immense. Tens of thousands of organizational networks were breached, often leading to ransomware deployment and data extortion. This attack single-handedly reshaped how Microsoft handled emergency mitigation.
2. ProxyShell (August 2021)
Hot on the heels of ProxyLogon came ProxyShell. This chain of vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) provided pre-authentication remote code execution via pre-authentication. It quickly became a favorite tool for ransomware groups like LockBit and LockBit. The speed at which attackers weaponized these flaws highlighted the need for faster automatic defenses than traditional monthly patch cycles.
3. ProxyNotShell (September 2022)
By September 2022, attackers had found a way around the initial mitigations. ProxyNotShell involved a server-side request forgery (SSRF) vulnerability (CVE-2022-41040) chained with a PowerShell execution flaw (CVE-2022-41082). This forced Microsoft to rapidly update its mitigation strategy, setting the stage for the automated systems we rely on today.
4. OWASSRF (2022)
Later in 2022, OWASSRF emerged using a similar SSRF approach attack via Outlook Web Access (CVE-2022-41080) chained with the same PowerShell RCE (CVE-41082). This attack reinforced the idea that OWA is a persistent weak point attackers will continue targeting.
5. CVE-2026-42897 (The Current XSS Spoofing Attack )
This latest vulnerability continues the trend of exploiting OWA interactions. While it is an XSS spoofing flaw rather than direct RCE, its potential for account takeover and data exfiltration is severe. It demonstrates that the attack surface is still wide open and that
Immediate Steps for Exchange Zero-Day Mitigations
Given the frequency and severity of these attacks, waiting for a full cumulative update is no longer a viable strategy. Microsoft has institutionalized the concept of exchange zero-day mitigations through two primary tools: the Exchange Emergency Mitigation Service (EEMS) and the Exchange On-premises Mitigation Tool (EOMT).
Leveraging the Emergency Mitigation Service
EEMS was introduced in September 2021, directly as a result of the ProxyLogon and ProxyShell crises. It runs as a Windows service on Exchange Mailbox servers and is automatically enabled on servers with the Mailbox role. When Microsoft identifies a critical vulnerability like CVE-2026-42897, EEMS automatically pushes an interim mitigation to eligible servers.
Using EEMS is currently the best way for your organization enable exchange zero-day mitigations right away. If you have the service disabled, Microsoft recommends re-enabling it immediately to close this vulnerability window. It is important to note that the service cannot check for new mitigations if your server is running an Exchange version older than March 2023. Keeping your underlying build current version updated is essential for automated protection.
You may also enjoy reading: PIC Technology: How EMCORE Revolutionizes Inertial Navigation.
Air-Gapped Environments and EOMT
For administrators operating air-gapped environments or those with strict change management protocols, the EOMT provides a manual alternative. Admins can download the latest version and apply the mitigation by running the script via an elevated Exchange Management Shell (EMS). This allows for precise control over how and when the mitigation is applied across the estate.
Known Side Effects and Workarounds
Applying these exchange zero-day mitigations is necessary, but it is not consequences. Microsoft has documented specific known issues that arise when the mitigation is active.
<>
Planning for Long-Term Security
In October 2024, weeks after Exchange 2016 and 2019 reached their end of support, CISA and the NSA released joint guidance on hardening Exchange servers. This guidance is essential reading for any organization still running on-premises Exchange. It covers baseline security practices, network segmentation, and monitoring strategies to detect post-compromise activity.
The Extended Security Update Program
Microsoft plans to release official patches for Exchange SE RTM, Exchange 2016 CU23, and Exchange Server 2019 CU14 and CU15. However, there is a critical catch. Updates for Exchange 2016 and 2019 will only be available to customers enrolled in the Period 2 Extended Security Updates (ESU) program. This represents a significant shift in the patch lifecycle. Organizations still running these versions must be proactively enrolled to receive any future security fixes.
Building a Resilient Posture
The pattern is clear. Manual patching cycles are too slow to counter these highly publicized, immediately exploited zero-days. Integrating automated exchange zero-day mitigations like EEMS into your standard operating procedures is now a baseline requirement for any competent IT security program.
The revelation of CVE-2026-42897 serves as a powerful reminder that on-premises email infrastructure remains a high-priority target. The reaction must shift from reaction to anticipation. By embracing tools like EEMS and planning for the ESU program, administrators can significantly reduce their window of exposure and protect their organizations from the next wave of attacks already on the horizon.
