We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Behavior:Win32/IISExchgDropWebshell.A!dha
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus detects and removes this threat.
This threat is associated with attacks that exploit vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability, while the second one, identified as CVE-2022-41082, allows remote code execution (RCE) when Exchange PowerShell is accessible to the attacker.
For more information and guidance from Microsoft about this threat, read the following blogs:
Microsoft Defender Antivirus automatically removes threats as they are detected. If you have cloud-delivered protection, your device gets the latest defenses against new and unknown threats. If you don'thave this feature enabled, update your antimalware definitions and run a full scan to remove this threat.
Microsoft Exchange Online customers do not need to take any action. On-premises Microsoft Exchange customers should review and apply the URL Rewrite Instructions in our Microsoft Security Response Center post . Microsoft has released a script to apply these mitigations against the SSRF vulnerability CVE-2022-41040, available at https://aka.ms/eomtv2 . Microsoft has confirmed that the URL Rewrite Instructions discussed publicly can break current attack chains.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
