Threat Signal Report

Recent Reply-Chain Email Attack Delivering Qakbot

description-logo Description

FortiGuard Labs is aware of a report that a reply-chain email attack is using compromised Microsoft Exchange servers to target employees within the affected company. Often refered as "hijacked email reply-chain attack" and "thread hijacking attack", a reply-chain email attack is an attack vector where the attacker sends an email reply with a malicious link or attachment to legitimate emails that were previously stolen. This way, the recipient is tricked into thinking that the reply came from a trusted sender and as such the victim is more likely to open the link or the attachment. In the latest report, Qakbot was reportedly delivered to the victim as a result.

Why is this Significant?

This is significant because the affected Microsoft Exchange servers were reportedly compromised using ProxyShell and ProxyLogon. The attacker then harvests legitimate corporate emails from the compromised email servers and send emails to the potential victims within the affected organization as a reply. Those fake "replied" emails typically have a malicious link or malicious attachment that delivers malware documents. Because the malicious emails are replies to legitimate emails and were sent from legitimate but compromised email servers, the recipients are more likely to open the link or the attachment resulting in malware infection.

What is ProxyShell?

ProxyShell is an exploit attack chain involving three Microsoft exchange vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207. When used in a chain on a vulnerable Microsoft Exchange server, the attack allows the attacker to remotely run malicious code on the targeted system as a result.

FortiGuard Labs previously released two Threat Signals associated with ProxyShell. See the Appendix for a link to "Vulnerable Microsoft Exchange Servers Actively Scanned for ProxyShell" and "Brand New LockFile Ransomware Distributed Through ProxyShell and PetitPotam" and "New Threat Actor Leverages ProxyShell Exploit to Serve Ransomware".

Relevant patches were released by Microsoft in April and May 2021.

What is ProxyLogon?

ProxyLogon refers to CVE-2021-26855. It is a pre-authentication proxy vulnerability in Microsoft Exchange servers that allows a remote actor to bypass authentication and receive admin server privileges. CVE-2021-26855 is typically chained with other exploits for remote code execution. Most notably, the HAFNIUM ATP group used CVE-2021-26855 with CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 as a 0-day in targeted attacks, which prompted Microsoft released out-of-cycle patches in March, 2021.

FortiGuard Labs previously released two Threat Signals associated with ProxyLogon. See the Appendix for a link to "Out of Band Patches Released for Active Exploitation of Microsoft Exchange Server".

What Malware is Delivered in the recent Reply-chain Email Attack?

Qakbot appears to be delivered in the recent attack. However, the replay-chain email attack is not new and is known to deliver other malware such as Emotet, SquirrelWaffle and IcedID.

What is the Status of Coverage?

FortiGuard Labs provides the following AV coverage against files used in the attack:


All known network IOC's related to this threat are blocked by the FortiGuard WebFiltering Client.

FortiGuard Labs provides the following IPS signature against ProxyShell:




FortiEDR detects and blocks ProxyShell attacks out of the box without any prior knowledge or special configuration beforehand.

FortiGuard Labs provides the following IPS signature against ProxyLogon:


Any Other Suggested Mitigation?

To protect against attacks leveraging ProxyShell and ProxyLogon, it is recommended to restrict untrusted connections to Exchange servers. An alternate recommendation is to set up a VPN to separate the Exchange server from external access. Using either of these mitigation recommendations will only protect against the initial portion of the attack. Other portions of the chain can still be triggered if an attacker already has access or can convince an administrator via social engineering methods to open a malicious file. it is recommended to prioritize installing the available patches on Exchange Servers immediately.

Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network.

Also - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.


Traffic Light Protocol

Color When Should it Be used? How may it be shared?


Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.


Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.


Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.


Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.