Keyloggers found on Outlook web login pages

Cybersecurity researchers at Positive Technologies have discovered silent JavaScript keyloggers embedded in the Outlook on the Web (OWA) login pages of compromised Microsoft Exchange servers. 

What happened

According to HelpNet Security, on June 17, cybersecurity researchers at Positive Technologies discovered that unknown threat actors had secretly injected JavaScript keyloggers into the Outlook on the Web (OWA) login page of compromised Microsoft Exchange servers. These infected servers belong to government agencies and private organizations across Asia, Europe, Africa, the Middle East, and Australia, including Vietnam, Russia, Taiwan, China, and more.

Going deeper

While some servers were already vulnerable to known exploits, like ProxyLogon (CVE‑2021‑26855), ProxyShell (three CVEs in 2021), and SMBGhost (CVE‑2020‑0796), others had no known vulnerabilities, suggesting that the attackers used alternative methods to gain access. Once inside, attackers added either:

• Local‑file keyloggers: JavaScript captures login credentials (and sometimes cookies), then writes them to server files accessible online.
• Remote‑exfil keyloggers: Data is sent to Telegram bots or Discord servers, tagged to identify the victim’s organization.

The malicious code was invisible to legitimate users during login, making detection extremely difficult.

Identifying the risk

Positive Technologies developed and shared a custom YARA rule to help organizations detect malicious JavaScript keyloggers injected into Outlook on the Web (OWA) login pages. This rule is specifically tailored to identify suspicious patterns that match the behavior and structure of the injected scripts.

How to use it:

• Scan server files: Apply this rule to directories on your Microsoft Exchange server, especially folders hosting OWA login pages and scripts (e.g., aspnet_client).
• Flag key indicators: The rule matches common elements used in malicious scripts, such as attempts to extract credentials via getElementById, and exfiltrate data using XMLHttpRequest or fetch functions targeting Telegram or Discord.
• Automate detection: Incorporate this YARA rule into endpoint detection systems or manual scanning tools to proactively search for embedded threats.

Additional signs of compromise:

• New or altered .js or .aspx files with obfuscated code.
• Scripts that reference external URLs or APIs for data transmission.
• Web server logs showing outbound requests to messaging platforms during or after login attempts.

Proactive scanning using YARA rules like this can significantly improve detection and reduce dwell time before attackers exploit stolen credentials.

What was said 

According to HelpNet Security, Positive Technologies’ report focuses on the global spread, stating, “The majority of compromised servers were found in government organizations (22 servers belonging to government entities), as well as in the IT, industrial, and logistics companies.” They stressed that the delivery method remains unclear, urging organizations to scan all authentication pages and directories linked to Exchange servers for suspicious or modified JavaScript. The researchers even provided YARA rules to facilitate detection. 

Why it matters

This attack goes beyond simple malware infections. It compromises trust in enterprise email systems by:

• Directly harvesting login credentials gives attackers full access to inboxes, files, and internal communications.
• Targeting high-value organizations, including government departments and critical industries.
• Remaining undetected, as the malicious scripts are silent, making the breach durable and difficult to identify.

The scope, covertness, and specificity of these attacks make them a potent threat in both cybersecurity and geopolitical contexts.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

What is the YARA rule and how does it help?

A YARA rule is a pattern-matching script used to detect malware or suspicious behavior. The rule shared by researchers identifies the specific JavaScript patterns used by the keyloggers.

What should organizations do if they find evidence of compromise?

• Immediately remove the malicious scripts
• Reset all affected passwords
• Revoke active sessions or tokens
• Perform a broader forensic investigation to assess further damage or lateral movement.

What long-term actions should organizations take?

Beyond patching, organizations should adopt regular code reviews, endpoint monitoring, threat hunting, and apply least-privilege access controls. Proactive scanning and behavioral analytics are essential to detect stealthy threats like this.