Financial Fraud with Exchange Vulnerabilities

Malware loader, Squirrelwaffle emerged in September 2021 and continues its spread through exploiting Microsoft Exchange ProxyLogon and ProxyShell vulnerabilities. Observed by Sophos, hijacked emails are used to advance the spread of Squirrelwaffle, Sophos investigations also identified attackers committing financial fraud attacks using the information obtained from the hijacked emails. The hijacked emails contained information for customer payments, the attackers created a “typo-squatted” domain and sent fraudulent replies to an email thread requesting assistance in a manner providing them access to the victim's payments.