Skip to main content
Skip to main content
Microsoft Security Intelligence
Published Sep 09, 2022 | Updated Oct 03, 2022


Detected by Microsoft Defender Antivirus

Aliases: No associated aliases


Microsoft Defender Antivirus detects and removes this threat.

This backdoor is associated with attacks that exploit vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability, while the second one, identified as CVE-2022-41082, allows remote code execution (RCE) when Exchange PowerShell is accessible to the attacker.

This threat is a malicious Internet Information Services (IIS) module leveraged by attackers to maintain access and persistence on a target device.

For more information and guidance from Microsoft about this threat, read the following blogs:

Microsoft Defender Antivirus  automatically removes threats as they are detected. If you have cloud-delivered protection, your device gets the latest defenses against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions and run a full scan to remove this threat.

Microsoft Exchange Online customers do not need to take any action. On-premises Microsoft Exchange customers should review and apply the URL Rewrite Instructions in our Microsoft Security Response Center post. Microsoft has released a script to apply these mitigations against the SSRF vulnerability CVE-2022-41040, available at Microsoft has confirmed that the publicly discussed URL Rewrite Instructions can break current attack chains.

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

Follow us