Russia’s elite cyber espionage unit, Fancy Bear (APT28), has intensified its sophisticated attacks on Microsoft Exchange servers as part of a broader campaign targeting Western organizations supporting Ukraine. The joint cybersecurity advisory released on May 21, 2025, by 21 international intelligence agencies reveals how the Russian General Staff Main Intelligence Directorate (GRU) military unit 26165 has weaponized critical Exchange vulnerabilities to penetrate high-value targets across NATO countries.

The Exchange-Centric Attack Strategy

Fancy Bear’s current campaign demonstrates a methodical focus on Microsoft Exchange infrastructure, leveraging both known vulnerabilities and advanced post-exploitation techniques to maintain persistent access to organizational email systems. The group has transformed Exchange servers from communication platforms into intelligence goldmines, systematically harvesting sensitive information about Western aid shipments to Ukraine.

The attackers primarily exploit CVE-2023-23397, a critical privilege escalation vulnerability in Microsoft Outlook that enables unauthorized access to Exchange accounts without any user interaction. This vulnerability, which carries a CVSS score of 9.8, allows attackers to trigger Net-NTLMv2 hash leaks simply by sending specially crafted emails that execute automatically when retrieved by the email server.

FEATURED PRODUCT

Stop Zero-Day Attacks Others Miss

Protect Microsoft Servers from zero-day attacks and penetrations that bypass traditional security. Real-time monitoring technology that detects, alerts, and cannot be disabled by malicious software.

START 30-DAY FREE TRIAL →

Advanced Exchange Exploitation Techniques

Once inside Exchange environments, Fancy Bear employs sophisticated post-exploitation tactics that demonstrate deep knowledge of Microsoft’s email architecture. The group systematically modifies folder permissions within victim mailboxes, changing default permissions from “None” to “Owner” for all authenticated users in the Exchange organization.

Key Exchange-specific techniques include:

Permission Manipulation: Attackers modify mailbox folder permissions to grant themselves “Owner” privileges, enabling access to high-value informational mailboxes through any compromised account within the organization.

Exchange Web Services (EWS) Abuse: The group leverages EWS protocols to enumerate folders, send additional malicious messages, and maintain persistent access even after password resets or other remediation efforts.

Credential Relay Attacks: Fancy Bear employs Net-NTLMv2 relay attacks against Exchange servers to bypass authentication mechanisms and establish initial access.

IMAP Protocol Exploitation: Beyond EWS, attackers utilize Internet Message Access Protocol (IMAP) to steal data directly from email servers.

Persistent Access and Stealth Operations

The most concerning aspect of Fancy Bear’s Exchange attacks is their ability to maintain unauthorized access even after organizations believe they have remediated the breach. By modifying folder permissions at the Exchange level, the attackers create backdoors that persist beyond traditional security measures.

Microsoft Incident Response teams have observed that these permission modifications allow threat actors to maintain access to mailbox contents even after losing direct access to compromised accounts. This technique effectively establishes additional persistent access channels that can survive password resets and other standard incident response procedures.

The Polish Cyber Command, which initially detected these attacks, assessed that Fancy Bear demonstrates “thorough knowledge of the architecture and mechanisms of the Microsoft Exchange mail system,” making detection particularly challenging due to the group’s effective evasion techniques.

Vulnerability Exploitation Timeline

Fancy Bear has been exploiting CVE-2023-23397 since at least April 2022, nearly a year before Microsoft disclosed and patched the vulnerability in March 2023. Despite the availability of patches for over a year, organizations continue to fall victim to these attacks, highlighting the persistent threat posed by unpatched Exchange environments.

The group has also been observed exploiting additional Exchange-related vulnerabilities, including multiple Roundcube email client flaws (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026) to execute arbitrary commands and access email accounts.

Intelligence Gathering and Strategic Impact

Through their Exchange compromises, Fancy Bear systematically gathers intelligence on Western logistics operations supporting Ukraine. The attackers focus on personnel in strategic positions, particularly employees overseeing transportation logistics and cybersecurity staff, while harvesting critical information including train schedules, shipping manifests, and coordination details for aid deliveries.

This intelligence gathering extends beyond traditional espionage, as the group conducts reconnaissance on organizations involved in industrial control system components for railway management, demonstrating the strategic nature of their targeting.

Defensive Recommendations for Exchange Environments

Given the persistent threat to Exchange infrastructure, organizations must implement comprehensive security measures specifically designed to protect email environments:

Immediate Actions:

  • Apply all available security updates for Microsoft Exchange and Outlook
  • Implement robust multi-factor authentication across all Exchange services
  • Monitor Exchange Web Services (EWS) activity for unusual access patterns
  • Review and audit mailbox folder permissions regularly

Advanced Protections:

  • Deploy endpoint detection and response systems with specific focus on Exchange servers
  • Implement network segmentation to isolate Exchange infrastructure
  • Block connections from public VPNs to Exchange services
  • Enable comprehensive logging for all Exchange activities and API calls

Ongoing Monitoring:

  • Conduct regular threat hunting for known Fancy Bear tactics and indicators
  • Monitor for unusual permission changes in Exchange mailboxes
  • Implement automated alerts for lateral movement attempts between Exchange accounts

The Broader Implications

Fancy Bear’s sophisticated exploitation of Microsoft Exchange represents a significant evolution in state-sponsored cyber warfare. By targeting the communication backbone of organizations supporting Ukraine, Russia has demonstrated how critical infrastructure vulnerabilities can be weaponized for strategic intelligence gathering.

The persistence and sophistication of these Exchange-focused attacks underscore the need for organizations to treat email security as a national security priority. As Paul Chichester, NCSC Director of Operations, emphasized, “This malicious campaign by Russia’s military intelligence service presents a serious risk to targeted organisations, including those involved in the delivery of assistance to Ukraine”.

Organizations operating Exchange environments must recognize that they are operating in a threat landscape where nation-state actors possess deep technical knowledge of Microsoft’s email systems and the patience to maintain long-term access for strategic intelligence gathering. The time for reactive security measures has passed—proactive, comprehensive Exchange security is now a matter of operational survival.

Strengthen Your Server Security with Messageware

Data breaches have increased by 72%, servers are compromised in under 90 minutes. Ensure you have multiple layers of security software protecting your Windows Servers.

Messageware offers powerful security solutions, including:

Z-Day Guard for All Windows Servers: Next-gen server protection, providing detection, alerting, and response (MDR) to zero-day and server penetration cyber-attacks. Leverages embedded monitoring technology that cannot be turned off by malicious software. No need to research complicated deployments and no learning curve to install and manage.

EPG Guard for Exchange Servers: Real-time security stops AD account lockouts, eliminates brute force password attacks, provides intelligent GEO blocking, and prevents Exchange Server vulnerability probing. Enhance security through real-time collection and analysis of logon information, with advanced reporting, threat detection, and security controls.

Don’t leave your critical infrastructure vulnerable, be proactive and stay ahead of evolving threats.