{"id":24791,"date":"2026-06-23T10:19:08","date_gmt":"2026-06-23T03:19:08","guid":{"rendered":"https:\/\/fpt-is.com\/en\/?post_type=goc_nhin_so&#038;p=24791"},"modified":"2026-06-26T02:20:49","modified_gmt":"2026-06-25T19:20:49","slug":"new-zero-day-on-microsoft-exchange-just-one-email-can-steal-an-entire-owa-login-session","status":"publish","type":"goc_nhin_so","link":"https:\/\/fpt-is.com\/en\/insights\/new-zero-day-on-microsoft-exchange-just-one-email-can-steal-an-entire-owa-login-session\/","title":{"rendered":"New Zero-Day on Microsoft Exchange: Just one email can steal an entire OWA login session"},"content":{"rendered":"<h2 id=\"risk-summary\"><span style=\"font-family: arial, helvetica, sans-serif\">Risk summary<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Recently, a particularly severe vulnerability was discovered, causing significant concern within the security community. Just a single carefully crafted email is enough to execute malicious JavaScript directly in the browser of Microsoft Exchange On-Prem users. Alarmingly, this vulnerability was exploited in the wild before many organizations realized they were at risk. However, the most notable issue isn&#8217;t the potential to hijack an Outlook Web Access (OWA) session. The real problem is that even Microsoft&#8217;s official security check tool is &#8220;overlooking&#8221; the system&#8217;s protection status. Health Checker might report that the server is secure while the mitigation isn&#8217;t functioning properly- creating an extremely dangerous false sense of security for administrators.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2 id=\"background-and-history-of-the-attack\"><span style=\"font-family: arial, helvetica, sans-serif\">Background and history of the attack<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Microsoft Exchange On-Premises has long been a key target for APT and ransomware operators because it is considered a central enterprise email system, often exposed to the Internet via OWA\/ECP, and contains credentials and sensitive data. This is not the first time Microsoft Exchange On-Premises has been actively exploited; in the past, there have been numerous high-risk campaigns recorded.<\/span><\/p>\n<table>\n<colgroup>\n<col \/>\n<col \/>\n<col \/>\n<col \/>\n<col \/><\/colgroup>\n<tbody>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Campaign<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Year recorded<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">CVE<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Affected version<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Type of vulnerability<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">ProxyLogon<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">2021<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Microsoft Exchange Server 2013-2019<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Remote code execution (RCE) via unauthenticated access<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">ProxyShell<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">2021<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">CVE-2021-34473, CVE-2021-34523, CVE-2021-31207<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Microsoft Exchange Server (on-premises)<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Remote code execution (RCE) via unauthenticated access<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">OWASSRF<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">2022<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">CVE-2022-41040 and CVE-2022-41082<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Microsoft Exchange Server 2013, 2016, 2019<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE)<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">CVE-2026-42897 continues to highlight the current cybersecurity reality that Exchange On-Premises remains a significant attack surface. The OWA browser context is an attractive target, and email-based exploitation is still effective despite the presence of many modern defense layers. Unlike ProxyLogon\/ProxyShell, which focus on server-side RCE, CVE-2026-42897 exploits client-side browser execution, session hijacking, identity abuse, and browser trust exploitation.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2 id=\"information-vulnerability\"><span style=\"font-family: arial, helvetica, sans-serif\">Information vulnerability<\/span><\/h2>\n<table>\n<thead>\n<tr>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">Attribute<\/span><\/th>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">Value<\/span><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">CVE<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">CVE-2026-42897<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Severity<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">High<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">CVSS<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">8.1<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">CWE<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">CWE-79 &#8211; Cross-Site Scripting<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Affected Component<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Outlook Web Access (OWA)<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Affected Products<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Exchange Server 2016 \/ 2019 \/ SE<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Attack Vector<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Network<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">User Interaction<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Required<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Exploitation<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Confirmed In-The-Wild<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<h2 id=\"event-timeline\"><span style=\"font-family: arial, helvetica, sans-serif\">Event timeline<\/span><\/h2>\n<table>\n<thead>\n<tr>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">Event timeline<\/span><\/th>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">Event<\/span><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">14\/05\/2026<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Microsoft announces CVE-2026-42897<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">14\/05\/2026<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Confirmed active exploitation<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">15\/05\/2026<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">The Hacker News and several security firms issued warnings.<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">15-17\/05\/2026<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Microsoft released a temporary mitigation through EEMS.<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Hi\u1ec7n t\u1ea1i<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Currently, there is no complete permanent security patch available.<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<h2 id=\"technical-mechanism\"><span style=\"font-family: arial, helvetica, sans-serif\">Technical mechanism<a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/06\/d452ade8-5271-43e0-b088-5fa87a51f785-1780672853.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-24792\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/06\/d452ade8-5271-43e0-b088-5fa87a51f785-1780672853.png\" alt=\"D452ade8 5271 43e0 B088 5fa87a51f785 1780672853\" width=\"1024\" height=\"1536\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/06\/d452ade8-5271-43e0-b088-5fa87a51f785-1780672853.png 1024w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/06\/d452ade8-5271-43e0-b088-5fa87a51f785-1780672853-700x1050.png 700w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/span><\/h2>\n<h3 id=\"exploitation-conditions\"><span style=\"font-family: arial, helvetica, sans-serif\">Exploitation conditions<\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">To successfully carry out the campaign, the attacker first sends a crafted email, then the user opens the email using OWA, and the JavaScript payload executes in the browser context. The attacker&#8217;s payload can: read the DOM, send requests on behalf of the user, steal tokens, and perform spoofing actions.<\/span><\/p>\n<h3 id=\"related-architecture-and-root-cause\"><span style=\"font-family: arial, helvetica, sans-serif\">Related Architecture and Root Cause<\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">To understand why CVE-2026-42897 is dangerous even though it is not a traditional Remote Code Execution (RCE) vulnerability, we need to look at how Microsoft Exchange On-Premise handles email through Outlook Web Access (OWA).<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">In the typical operation model, users access OWA via a web browser. The request goes through IIS and the Exchange Frontend before connecting to the Mailbox Service to retrieve email content. Then, the OWA Rendering Engine converts the email into HTML content and returns it for the user&#8217;s browser to display.<\/span><\/p>\n<p><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/06\/88fe2d8b-98a1-4109-a4dd-b9336f65c4d2-1780672881.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-24794\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/06\/88fe2d8b-98a1-4109-a4dd-b9336f65c4d2-1780672881.png\" alt=\"88fe2d8b 98a1 4109 A4dd B9336f65c4d2 1780672881\" width=\"1024\" height=\"559\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/06\/88fe2d8b-98a1-4109-a4dd-b9336f65c4d2-1780672881.png 1024w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/06\/88fe2d8b-98a1-4109-a4dd-b9336f65c4d2-1780672881-700x382.png 700w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">The issue with CVE-2026-42897 lies precisely in this content rendering step. When an email containing HTML is sent to the Exchange system, OWA parses the MIME content, reconstructs the HTML content, and renders it directly in the browser. By design, HTML email is considered valid &#8220;rich content&#8221; to support a modern webmail experience. However, the input data sanitization process did not completely remove dangerous elements controlled by the attacker. This creates a Stored XSS within the context of OWA.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">In other words, the attacker doesn&#8217;t need to exploit the operating system or execute code on the Exchange server. Instead, they just need to send a crafted email containing specially designed HTML\/JavaScript payload. When the victim opens the email using OWA, the browser will render this content as a legitimate part of the Exchange webpage, and the malicious JavaScript will execute directly within the user&#8217;s session.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">This means the malicious script will run under the same origin as OWA, for example:<\/span><\/p>\n<p><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/06\/8228d74b-5673-4eb0-b93a-86935307d8f7-1780672895.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-24795\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/06\/8228d74b-5673-4eb0-b93a-86935307d8f7-1780672895.png\" alt=\"8228d74b 5673 4eb0 B93a 86935307d8f7 1780672895\" width=\"769\" height=\"57\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/06\/8228d74b-5673-4eb0-b93a-86935307d8f7-1780672895.png 769w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/06\/8228d74b-5673-4eb0-b93a-86935307d8f7-1780672895-700x52.png 700w\" sizes=\"(max-width: 769px) 100vw, 769px\" \/><\/a><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">When the browser trusts this origin, JavaScript can perform a range of dangerous actions such as reading the DOM, sending requests on behalf of the user, manipulating the mailbox, creating mailbox rules, or stealing session\/authentication tokens. This is why CVE-2026-42897, although &#8220;just&#8221; an XSS, has an impact very close to a complete account compromise.<\/span><\/p>\n<h2 id=\"detailed-technique\"><span style=\"font-family: arial, helvetica, sans-serif\">Detailed technique<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">To successfully exploit this vulnerability, the attacker needs to go through four different stages, from reconnaissance to extracting critical data, with each stage serving as a stepping stone for subsequent attacks.<\/span><\/p>\n<h3 id=\"stage-1-the-attacker-sends-a-crafted-email\"><span style=\"font-family: arial, helvetica, sans-serif\">Stage 1 &#8211; The attacker sends a crafted email<\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">The first step of the attack chain is extremely simple. The attacker just needs to send an email containing a specially crafted HTML or JavaScript payload to an internal user.<\/span><\/p>\n<p><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/06\/837c4adf-d2bb-4981-87f7-a809a440670e-1780672904.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-24796\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/06\/837c4adf-d2bb-4981-87f7-a809a440670e-1780672904.png\" alt=\"837c4adf D2bb 4981 87f7 A809a440670e 1780672904\" width=\"774\" height=\"85\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/06\/837c4adf-d2bb-4981-87f7-a809a440670e-1780672904.png 774w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/06\/837c4adf-d2bb-4981-87f7-a809a440670e-1780672904-700x77.png 700w\" sizes=\"(max-width: 774px) 100vw, 774px\" \/><\/a><\/p>\n<h3 id=\"stage-2-exchange-processes-the-email\"><span style=\"font-family: arial, helvetica, sans-serif\">Stage 2 &#8211; Exchange processes the email<\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">When the email reaches the mailbox, Exchange performs several steps: saving the email to the database, parsing the MIME structure, converting the email into web content, and rendering it in OWA. As mentioned, this process is the root cause of the vulnerability. OWA believes the HTML email is &#8220;valid rich content,&#8221; so it tries to retain as much formatting as possible to give users an experience similar to Outlook desktop. However, during the HTML rebuild, some attacker-controlled content is not completely removed. Simply put, when the attacker sends &#8220;spoofed HTML,&#8221; OWA inadvertently turns it into &#8220;valid HTML,&#8221; and the browser executes it as trusted content. This technique is known as Stored XSS.<\/span><\/p>\n<h3 id=\"stage-3-the-user-opens-the-email-using-owa\"><span style=\"font-family: arial, helvetica, sans-serif\">Stage 3 &#8211; The user opens the email using OWA<\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">As soon as the victim logs into\u00a0<a href=\"https:\/\/mail.company.com\/owa\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">https:\/\/mail.company.com\/owa\/<\/a>\u00a0and opens the malicious email, the browser will render the email content directly within the OWA website. The crucial point here is that the browser trusts mail.company.com since it is the legitimate company website. Because the JavaScript is executed under the same origin as OWA, the attacker can read the mailbox content, send authenticated requests, access the current session, and manipulate the mailbox on behalf of the user.<\/span><\/p>\n<h3 id=\"stage-4-javascript-begins-to-operate\"><span style=\"font-family: arial, helvetica, sans-serif\">Stage 4 &#8211; JavaScript begins to operate<\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Once the payload runs successfully, the attacker can perform many dangerous actions right within the victim&#8217;s browser session. For example, they can: read emails, send internal emails, create mailbox forwarding rules, steal authentication tokens, automatically conduct internal phishing, or even more dangerously, download additional payloads from an external server. The frightening aspect is that all these actions occur under the legitimate session of the real user. From the system&#8217;s perspective: Exchange sees the request as valid, the browser sees the JavaScript as valid, EDR doesn&#8217;t detect a malware process, and SOC struggles to immediately identify any anomalies.<\/span><\/p>\n<h2 id=\"mitre-attampck-mapping\"><span style=\"font-family: arial, helvetica, sans-serif\">MITRE ATT&amp;CK Mapping<\/span><\/h2>\n<table>\n<thead>\n<tr>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">Tactic<\/span><\/th>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">Technique<\/span><\/th>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">M\u00f4 t\u1ea3<\/span><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Initial Access<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">T1566.001<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Spearphishing Attachment\/Email<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Execution<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">T1059.007<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">JavaScript Execution<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Credential Access<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">T1539<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Steal Web Session Cookie<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Collection<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">T1114<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Email Collection<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Persistence<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">T1137<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Office Application Startup\/Rules<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Defense Evasion<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">T1036<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Masquerading\/Spoofing<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Lateral Movement<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">T1021<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Remote Services via hijacked account<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2 id=\"assessment\"><span style=\"font-family: arial, helvetica, sans-serif\">Assessment<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Although the CVSS score of 8.1 accurately reflects the severity of the risk of widespread mailbox takeover, the biggest challenge in the CVE-2026-42897 event lies more in security operations (SecOps) than in the exploitation technique itself. In Vietnam, many organizations in the financial sector, government agencies, and large enterprises still operate Microsoft Exchange On-Premise systems as a critical infrastructure. In reality, many administrative teams rely almost entirely on the results from Microsoft&#8217;s Health Checker script to assess patch status and report directly to leadership.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">When this tool shows a &#8220;false negative&#8221;- indicating the system is unprotected even though mitigation has been applied- the consequences extend beyond technical issues. It can create significant operational pressure on the SOC and infrastructure team, leading to wasted time on repeated verification and investigation, unnecessary internal alerts, confusion during response efforts, and, more seriously, prompting engineers to make uncontrolled configuration changes or reapply mitigation, inadvertently increasing the risk of system discrepancies or service disruptions.<\/span><\/p>\n<h2 id=\"recommended-actions\"><span style=\"font-family: arial, helvetica, sans-serif\">Recommended actions<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Verify the exact status of mitigation<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Do not rely solely on results from the Health Checker or any single tool to conclude that the system is secure.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Verify mitigation at both the configuration and actual behavior levels.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Save configuration snapshots before and after applying mitigation.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Standardize the verification checklist for the SOC and operations team.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Check the status of the Exchange Emergency Mitigation Service (EEMS)<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Ensure:<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">EEMS is enabled.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">The server can connect to the Microsoft Office Config Service.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">The latest mitigation has been successfully downloaded and applied.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Check:<\/span><\/p>\n<pre><span style=\"font-family: arial, helvetica, sans-serif\"><code class=\"language-plaintext hljs\" data-highlighted=\"yes\">Get-ExchangeServer | Format-List MitigationsEnabled\r\n<\/code><button class=\"copy-code-button\" title=\"Copy code\" aria-label=\"Copy code\"><i class=\"fa-jelly fa-clipboard copy-icon\"><\/i><\/button><\/span><\/pre>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Check applied mitigation:<\/span><\/p>\n<pre><span style=\"font-family: arial, helvetica, sans-serif\"><code class=\"language-plaintext hljs\" data-highlighted=\"yes\">Get-Mitigations\r\n<\/code><button class=\"copy-code-button\" title=\"Copy code\" aria-label=\"Copy code\"><i class=\"fa-jelly fa-clipboard copy-icon\"><\/i><\/button><\/span><\/pre>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Monitor related Event IDs: 1005, 1006, 1008<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Review all Exchange Internet-facing<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Limit OWA access using VPN or Conditional Access,<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Apply Geo-IP filtering,<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Allow only whitelisted IPs for the admin portal,<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Separate administrative access from public access.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Enhance monitoring for OWA<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Track anomalies in IIS Logs<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Monitor mailbox activity<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Track unusual session\/token activity<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Strengthen user-side protection<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Enforce MFA for OWA<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Limit browser risk<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Enhance user awareness<\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Do not open suspicious HTML emails,<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Do not trust unusual internal emails,<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Check for unusual outbound email<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Focus on:<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Sudden increase in sending volume,<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Mass internal sending,<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Sending to unknown domains.<\/span><\/li>\n<\/ul>\n<h2 id=\"refer\"><span style=\"font-family: arial, helvetica, sans-serif\">Refer<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/thehackernews.com\/2026\/05\/on-prem-microsoft-exchange-server-cve.html\" target=\"_blank\" rel=\"noopener ugc nofollow\">On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email<\/a><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/github.com\/atiilla\/CVE-2026-42897\" target=\"_blank\" rel=\"noopener ugc nofollow\">atiilla\/CVE-2026-42897: CVE-2026-42897 &#8211; Exchange Health Checker blind spot: outbound IIS URL Rewrite rules silently ignored, making EOMT mitigations invisible in diagnostic reports.<\/a><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/techcommunity.microsoft.com\/blog\/exchange\/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897\/4518498?appgw_azwaf_jsc=yd-Dv6R0WRdk90AwpKy924N59EuTd_AmPt6K_xfOgi7GZOpJEjDcK4T9DTsMDWB17nU-1UuKIQBDsZUS2LCD7y-457k1Q4Th_oxa94xc3REfU_IgePiP1_Ped1PDc6gef3zyPWyJv_Urr-RIvi6j7-9O6U3il7kOCJ5-hj-mgKShoaQpNj-y_32hHb3vxGV37K2LH2O5CY5xvwNWrUIem8Q6za15hT3tljho57DlD9yr-H4gcoQ5iOBV6I8r8cd24Q4_HCwmXgQNuwJ68PKELzDLSFTutAMM0Zl54T2QVwkAhCQoRlGEuVhUnSjV92yXIMYb12oaZZti-0jPFPlL2g\" target=\"_blank\" rel=\"noopener ugc nofollow\">Addressing Exchange Server May 2026 vulnerability CVE-2026-42897 | Microsoft Community Hub<\/a><\/span><\/p>\n<p>&nbsp;<\/p>\n<table style=\"border-collapse: collapse;width: 100%\">\n<tbody>\n<tr>\n<td style=\"width: 100%\">\n<p data-start=\"0\" data-end=\"210\" data-is-last-node=\"\" data-is-only-node=\"\"><strong>Exclusive article by experts from\u00a0<span class=\"hover:entity-accent entity-underline inline cursor-pointer align-baseline\"><span class=\"whitespace-normal\">FPT IS<\/span><\/span>,\u00a0<span class=\"hover:entity-accent entity-underline inline cursor-pointer align-baseline\"><span class=\"whitespace-normal\">FPT Corporation<\/span><\/span><\/strong><\/p>\n<p data-start=\"0\" data-end=\"210\" data-is-last-node=\"\" data-is-only-node=\"\"><br data-start=\"110\" data-end=\"113\" \/><em>Luu Tuan Anh &#8211; Information Security &amp; Cybersecurity Center, <span class=\"hover:entity-accent entity-underline inline cursor-pointer align-baseline\"><span class=\"whitespace-normal\">FPT IS<\/span><\/span><\/em><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"author":21,"featured_media":24797,"parent":0,"template":"","nang_luc":[790],"danh_muc_goc_nhin_so":[789],"dich_vu":[],"linh_vuc":[],"platform":[],"san_pham":[],"the_goc_nhin_so":[],"class_list":["post-24791","goc_nhin_so","type-goc_nhin_so","status-publish","has-post-thumbnail","hentry","nang_luc-experts-sharing","danh_muc_goc_nhin_so-expert-sharing"],"acf":[],"_links":{"self":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so\/24791","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so"}],"about":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/types\/goc_nhin_so"}],"author":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/users\/21"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media\/24797"}],"wp:attachment":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media?parent=24791"}],"wp:term":[{"taxonomy":"nang_luc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/nang_luc?post=24791"},{"taxonomy":"danh_muc_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/danh_muc_goc_nhin_so?post=24791"},{"taxonomy":"dich_vu","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/dich_vu?post=24791"},{"taxonomy":"linh_vuc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/linh_vuc?post=24791"},{"taxonomy":"platform","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/platform?post=24791"},{"taxonomy":"san_pham","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/san_pham?post=24791"},{"taxonomy":"the_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/the_goc_nhin_so?post=24791"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}