Microsoft Exchange Zero-Day CVE-2026-42897 Actively Exploited Through Crafted Emails

North Korean Hackers Weaponize Developer Tools to Turn Code Workflows Into Malware Delivery Channels

Microsoft Exchange Zero-Day CVE-2026-42897 Actively Exploited Through Crafted Emails

A newly disclosed Microsoft Exchange Server vulnerability allows attackers to trigger spoofing and browser-based code execution through malicious emails opened in Outlook Web Access.

Microsoft Confirms Active Exploitation

Microsoft has revealed a serious security flaw in on-premises Exchange Server that attackers are already exploiting in real-world attacks. The vulnerability, tracked as CVE-2026-42897, has a CVSS score of 8.1 and creates major risks for organizations using local Exchange environments.

The issue affects Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition. It does not affect Exchange Online.

How the Attack Works

CVE-2026-42897 is a spoofing vulnerability caused by a cross-site scripting (XSS) weakness. Attackers can send a specially crafted email to a target user. When the user opens that email in Outlook Web Access (OWA), the browser may run malicious JavaScript code.

The attacker does not need authentication to launch the attack. However, the victim must interact with the email under certain conditions.

This method can lead to credential theft, session hijacking, internal phishing, and further movement inside the network.

Microsoft Provides Immediate Mitigation

Microsoft has already released a temporary protection through the Exchange Emergency Mitigation Service (EEMS). This service applies a URL rewrite rule automatically and blocks the attack path.

EEMS stays enabled by default in supported environments. Administrators should confirm that the Windows service is running correctly.

Organizations using air-gapped systems may not use EEMS. In that case, Microsoft recommends the Exchange On-Premises Mitigation Tool (EOMT). Security teams can apply this mitigation to one server or across the full Exchange environment.

Why This Matters for Businesses

Attackers continue to target on-premises infrastructure because it often receives slower updates and weaker visibility. Exchange servers remain a high-value target because they handle sensitive communication and internal access.

A successful attack can open the door to business email compromise, credential abuse, and long-term persistence inside the network.

Security leaders should act quickly. Teams should apply the mitigation, monitor Exchange logs, review OWA activity, and prepare for Microsoft’s permanent patch once it becomes available.

In cybersecurity, fast action often prevents a small flaw from becoming a major incident.

Over 20,000 Instagram Accounts Hijacked Through Meta AI Support Flaw

Nottingham University Data Breach Exposes Records of More Than 450,000 Students

DragonForce Ransomware Hides C2 Traffic Inside Microsoft Teams Infrastructure

North Korean Hackers Weaponize Developer Tools to Turn Code Workflows Into Malware Delivery Channels

Anthropic Unveils Claude Fable 5 with Built-In Cyber Safeguards as AI Security Enters a New Era

ATHR AI Vishing Platform Automates Voice Phishing at Scale

How Modern Businesses Can Measure Cyber Risk in Financial and Operational Terms Instead of Technical Guesswork

What Is Wiper Malware in Cybersecurity? Understanding One of the Most Destructive Types of Cyber Attacks

Why Delaying Software Updates Can Put Your Entire Digital Security at Risk

How Attackers Abuse Legitimate Windows Tools: Understanding LOLBins and Living-Off-the-Land Attacks

Brave Launches Paid ‘Origin’ Browser for Users Seeking a Cleaner, Privacy-First Experience

Apple Blocks $11 Billion in App Store Fraud as Mobile Threats Continue to Rise

Microsoft Exchange Zero-Day CVE-2026-42897 Actively Exploited Through Crafted Emails