Microsoft warns of Exchange zero-day flaw exploited in attacks

Microsoft disclosed a high-severity zero-day vulnerability in Exchange Server exploited in active attacks. The flaw enables threat actors to execute arbitrary code through cross-site scripting (XSS) attacks targeting Outlook on the web users.

The vulnerability allows attackers to inject malicious scripts that execute in the context of a user's browser session. This grants adversaries the ability to perform actions as the authenticated user, including accessing email, stealing credentials, or deploying additional malware. The XSS vector specifically affects Outlook on the web, the browser-based email client used by enterprise and hybrid Exchange deployments.

Microsoft released mitigations for organizations unable to patch immediately. These include disabling Outlook on the web temporarily, restricting access to Exchange servers at the network perimeter, and implementing Web Application Firewall (WAF) rules to block malicious requests. The company has not yet released a permanent patch, though security updates are expected.

This vulnerability impacts organizations running on-premises Exchange Server versions. Cloud-hosted Exchange Online customers receive automatic protections through Microsoft's cloud infrastructure. Organizations using hybrid configurations face elevated risk since attackers can target the on-premises component through the web interface.

Threat actors have already weaponized this vulnerability in targeted campaigns. The timing of public disclosure creates urgency for administrators managing Exchange deployments. Organizations should prioritize applying mitigations immediately and monitor for suspicious Outlook on the web activity, including unusual script execution or credential theft attempts.

The vulnerability underscores the continuing risk posed by web application flaws in widely deployed enterprise software. Exchange Server remains a high-value target for threat actors seeking email access and lateral movement within corporate networks. Organizations should treat this flaw with the same urgency applied to critical remote code execution vulnerabilities given the real-world exploitation evidence.