013

Positive Technologies reported an active global campaign abusing known Microsoft Exchange Server vulnerabilities to inject JavaScript keyloggers into Outlook authentication pages, harvesting credentials from at least 65 victims in 26 countries; variants either write stolen data to web-accessible files or exfiltrate via Telegram bots and DNS tunnels, and later analysis attributed related activity and follow-on payloads (PhantomDL/PhantomCore) to a named hacking group with thousands of accounts collected.