Hackers Use JavaScript Keyloggers to Target Microsoft Exchange Servers
In June 2025, cybersecurity experts discovered a new wave of attacks targeting Microsoft Exchange servers. This wave was dubbed the “Exchange server attack 2025”. Hackers added JavaScript-based keyloggers to Outlook Web Access (OWA) login pages, marking a significant aspect of the Exchange server attack 2025. As a result, they were able to silently steal user credentials. This attack affected 65 servers across 26 countries. It hit sectors such as government, education, logistics, and information technology.
How the Attack Works
According to researchers, the attackers used two main methods during the Exchange server attack 2025:
- Local Capture: This version records usernames, passwords, and browser data. It stores the information in files that are open to the public.
- Remote Capture: This type sends the stolen details directly to the attacker using DNS tricks or messaging apps.
Both methods are quiet and hard to detect, especially since they don’t always send data outside the network right away.
What Allowed the Attack?
The hackers took advantage of several known but unpatched vulnerabilities in Microsoft Exchange, including: crucial factors leading to the Exchange server attack 2025.
- ProxyLogon bugs: CVE‑2021‑26855, 26857, 26858, 27065
- ProxyShell bugs: CVE‑2021‑31206, 31207, 34523, 34473
- Old flaws: CVE‑2014‑4078 (IIS bypass), CVE‑2020‑0796 (SMBv3 issue)
Since many servers hadn’t been updated, the attackers were able to run code and change login pages without permission.
Why This Matters
This attack, known as the Exchange server attack 2025, is serious for several reasons:
- It’s very quiet – Most systems won’t detect these small script changes.
- It hits sensitive targets – Government and business servers were affected.
- It’s preventable – Many of these systems were simply not updated.
Because of these factors, the risk of stolen data or deeper attacks is high.
How to Protect Your Systems
To avoid being the next victim of an Exchange server attack like in 2025, take these steps:
1. Apply All Updates
First, make sure your Exchange servers are fully updated. Microsoft’s June 2025 patches include fixes for many of the flaws used in this attack.
2. Check Login Pages Often
Next, inspect your login pages. Look for changes in JavaScript files or strange code. Focus on the /owa/auth directory.
3. Watch Your Network Traffic
Then, monitor for odd patterns. Watch for sudden file changes or strange DNS and HTTP activity. These could point to stolen data.
4. Limit Server Access
Also, avoid exposing Exchange login panels to the public internet. Use firewalls, IP filtering, or VPNs to restrict access.
5. Add Extra Security Layers
Finally, use tools like a Web Application Firewall (WAF) and endpoint protection. They can help stop or alert on these kinds of threats.
Security Checklist
| Action | Benefit |
|---|---|
| Install all Exchange updates | Stops known exploits |
| Review login page code regularly | Detects injected keyloggers |
| Monitor DNS and web traffic | Finds hidden data leaks |
| Block public access to OWA/ECP | Lowers your attack surface |
| Use WAF and endpoint tools | Adds extra defense |
| Set up file monitoring | Catches changes to key directories |
Final Thoughts
In short, hackers are still going after unpatched Microsoft Exchange servers during what experts are referring to as the Exchange server attack 2025. They’re using simple scripts to grab logins—and it works. However, by keeping systems up to date and checking for small changes, you can stop these attacks before they cause damage.
Stay alert, patch often, and watch what’s happening on your network. A few simple steps can protect your entire business.
