Introduction
Defenders, we are tracking a critical security development in the Microsoft Exchange ecosystem. Microsoft has released an out-of-band security update to address an actively exploited vulnerability in Microsoft Exchange Server. This flaw involves a cross-site scripting (XSS) vulnerability specifically targeting Outlook Web Access (OWA), allowing threat actors to execute arbitrary JavaScript code within the context of authenticated users.
Given that OWA is a primary entry point for users accessing email from external networks, this vulnerability represents a significant risk for credential theft, session hijacking, and delivering secondary payloads to high-privilege accounts. Active exploitation has been confirmed prior to the patch release, indicating that threat actors are already scanning for and compromising unpatched servers. Immediate remediation is required.
Technical Analysis
Affected Products:
- Microsoft Exchange Server
- Component: Outlook Web Access (OWA) / Outlook on the web
Vulnerability Mechanics: The vulnerability is a Stored XSS flaw. In this scenario, a threat actor can inject malicious scripts into specific fields or requests processed by the Exchange Server. Unlike Reflected XSS, which requires a user to click a link, Stored XSS persists on the server.
When a legitimate user—such as an administrator or a high-value target—loads the affected OWA page, the malicious script executes in their browser context. Since the browser trusts the OWA application, the attacker's script inherits the session cookies and permissions of the victim. This effectively hands the attacker full control over the user's email account and, potentially, the Exchange server if the user has administrative privileges.
Exploitation Status:
- Actively Exploited: Yes. Reports indicate this vulnerability is being used in real-world attacks.
- Attack Vector: Web-based (HTTP/HTTPS). No user interaction is required beyond viewing a compromised email or OWA view.
Detection & Response
Detecting XSS exploitation post-factum can be challenging as the traffic appears as legitimate HTTPS web requests to the Exchange server. However, defenders can hunt for the injection payloads within IIS logs and monitor for post-exploitation behaviors such as unusual mailbox access rules or PowerShell executions on the Exchange server.
Sigma Rules
The following Sigma rules detect potential XSS injection attempts targeting the OWA interface by analyzing web proxy or IIS logs.
---
title: Potential XSS Injection in Exchange OWA
id: 8a2b4c1d-5e6f-4a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects potential XSS injection attempts targeting Outlook Web Access (OWA) endpoints by identifying script tags in URL parameters.
references:
- https://attack.mitre.org/techniques/T1059/007
author: Security Arsenal
date: 2026/05/15
tags:
- attack.initial_access
- attack.t1190
- attack.execution
logsource:
category: web
detection:
selection:
c-uri-stem|contains: '/owa'
cs-uri-query|contains:
- '<script'
- 'javascript:'
- 'onerror='
- 'onload='
- 'fromcharcode'
condition: selection
falsepositives:
- Legitimate testing or malformed requests (rare)
level: high
---
title: Suspicious OWA User-Agent with Script Tags
id: 9b3c5d2e-6f7a-5b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects suspicious activity where the Referer or User-Agent headers contain script tags, indicative of probing for XSS.
references:
- https://attack.mitre.org/techniques/T1190
author: Security Arsenal
date: 2026/05/15
tags:
- attack.initial_access
- attack.t1190
logsource:
category: web
detection:
selection:
c-uri-stem|contains: '/owa'
cs-referer|contains:
- '<script'
- 'javascript:'
condition: selection
falsepositives:
- None
level: critical
**KQL (Microsoft Sentinel / Defender)**
Use this query to hunt for XSS patterns in IIS logs or Syslog/CEF data ingested into Sentinel.
// Hunt for XSS patterns in Exchange OWA logs
CommonSecurityLog
| where DeviceProduct in ("IIS", "Microsoft Exchange")
| where RequestURL contains "/owa"
| where RequestURL has "<script"
or RequestURL has "javascript:"
or RequestURL has "onerror="
or RequestURL has "fromcharcode"
| project TimeGenerated, DeviceAddress, SourceIP, DestinationIP, RequestURL, RequestMethod
| order by TimeGenerated desc
**Velociraptor VQL**
This VQL artifact hunts for IIS log files on the Exchange server and checks for recent XSS injection attempts.
-- Hunt for XSS patterns in IIS log files on Exchange
SELECT FullPath, Mtime, Size
FROM glob(globs='C:\\inetpub\\logs\\LogFiles\\*.log')
WHERE Mtime > now() - 7d
-- Limit to recent logs to ensure relevance
-- Parse the logs to find script tags in OWA requests (Conceptual)
LET log_rows = SELECT parse_string_with_regex(string=Data, regex='^(?P<date>\S+) (?P<time>\S+) (?P<s_ip>\S+) (?P<cs_method>\S+) (?P<cs_uri_stem>\S+) (?P<cs_uri_query>\S+) .*') AS parsed
FROM read_file(filename=FullPath)
SELECT parsed.cs_uri_stem, parsed.cs_uri_query
FROM log_rows
WHERE parsed.cs_uri_stem =~ '/owa'
AND (parsed.cs_uri_query =~ '<script' OR parsed.cs_uri_query =~ 'javascript:')
**Remediation Script (PowerShell)**
This script checks the Exchange Server version and determines if the latest security updates (applicable to the 2026 threat landscape) are installed. *Note: Replace the specific build numbers below with the exact build numbers provided in the official Microsoft advisory for this specific vulnerability.*
# Exchange Server Security Check Script
# Run this on each Exchange Server
Write-Host "Checking Exchange Server Version and Patch Status..." -ForegroundColor Cyan
# Get Exchange Server Version
$exSetupPath = "$env:ExchangeInstallPath\Bin\ExSetup.exe"
if (Test-Path $exSetupPath) {
$fileVersion = (Get-Item $exSetupPath).VersionInfo.FileVersion
Write-Host "Current Exchange Build: $fileVersion" -ForegroundColor Yellow
# Placeholder logic: Replace these build numbers with the 'Fixed' builds from the official advisory
# Example: "15.2.1118.0" (Exchange 2019) or "16.0.1234.5" (Exchange 2016/2019)
$fixedBuilds = @(
"15.02.XXXX.XXX",
"15.01.XXXX.XXX",
"16.00.XXXX.XXX"
)
$isPatched = $false
foreach ($build in $fixedBuilds) {
if ($fileVersion -ge $build) {
$isPatched = $true
break
}
}
if ($isPatched) {
Write-Host "Status: System appears patched based on build number comparison." -ForegroundColor Green
} else {
Write-Host "Status: VULNERABLE. Exchange Server is below the fixed build threshold." -ForegroundColor Red
Write-Host "Action: Apply the latest Cumulative Update (CU) and Security Update immediately." -ForegroundColor Red
}
} else {
Write-Host "Error: Exchange Setup path not found. Are you on an Exchange Server?" -ForegroundColor Red
}
Remediation
To mitigate this threat effectively, Security Arsenal recommends the following immediate actions:
- Apply Patches Immediately: Deploy the latest Cumulative Updates (CUs) and Security Updates for Exchange Server provided by Microsoft. Do not delay; active exploitation has been confirmed.
- Verify Update Installation: Use the PowerShell script provided above to verify that the build numbers on your Exchange servers match the patched versions detailed in the vendor advisory.
- Check for Indicators of Compromise (IOCs): Review IIS logs for the XSS patterns defined in the Detection section. If you detect suspicious activity, assume that authenticated sessions may have been hijacked.
- Force Password Reset: If you confirm exploitation on your server, force a password reset for all users who accessed OWA during the compromise window, and invalidate all active OAuth tokens.
- Network Segmentation: Ensure OWA is not directly exposed to the internet without a Web Application Firewall (WAF). Configure WAF rules to block common XSS patterns.
Official Advisory: Refer to the latest Microsoft Security Response Center (MSRC) blog post for the specific KB articles and download links related to this May 2026 release.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.