Threat Response – Increase in malicious spam activity



On Thursday, November 4, the Northwave CERT took note of a new attack method that uses a specific actor to send malicious spam (malspam). The attackers exploit the large number of still unpatched Microsoft Exchange servers to capture and resend mails to the recipients from that same Exchange server with two malicious URLs added. The chance the recipient opens the malware is considerable, because this way spam/malware is sent from a trusted sender and from the correct address.


The attackers exploit the ProxyLogon vulnerability[1][2][3] (see also our Threat Response dated March 3, 2021) in Microsoft On-Premise Exchange to capture emails and resend them containing malicious URLs. When a user clicks on the link in the email, a ZIP file containing malware, a backdoor called QBot[4], opens. It is the experience of the Northwave CERT that the combination of this actor and QBot often leads to Ransomware attacks. The risk of infection by this form of malspam is higher than usual, because the mails originate from a trusted sender.

The text added by the attackers may look like the one below, but multiple languages have been observed.

Important note: The emails are actually previously sent emails and actually come from a partner, client or other legitimate contact!


When the link is clicked and the document is opened, a backdoor will be installed and the attackers will gain control of the PC. Ransomware is a real consequence of this backdoor.  Therefore we estimate the impact as high.


Because of the size of the attack and the effectiveness of the campaign, we rate the risk as high.


To mitigate this threat, there are two options:

  1. If you have received these emails, immediately scan the user’s PC/Laptop for malware. If the user indicates they have clicked, it is recommended that you rebuild the workstation and reset the user’s password. Then notify the sender that it is highly likely that their Exchange is being misused in this attack.
  2. If you have an on-premises Exchange, check the IIS Webserver log for the existence of the following log line. If this log line is present on the host, the ProxyLogon vulnerability has likely been exploited, we recommend calling the CERT for further investigation.

/autodiscover/autodiscover.json [email protected]

What will Northwave do?

Northwave is monitoring developments regarding this campaign. If important new information becomes available regarding this threat, we will inform you. If you need additional information, we can be reached by phone or email. Northwave’s detection and prevention platform stops the installation of the QBot backdoor and alerts our analysts to the presence of this malware

E-mail: [email protected] Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909 or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.



Met vriendelijke groet / Kind regards,

Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.