Attackers are back inside your email server through a new bypass. π§
CVE-2026-2188 Β· Severity 9.1 Β· Critical authentication bypass in @[Microsoft](urn:li:organization:1035) Exchange Server.
We are seeing state-sponsored actors leverage this flaw to access executive mailboxes without needing valid credentials. This affects on-premise Exchange environments that haven’t applied the latest cumulative updates.
Once inside, attackers are setting up silent forwarding rules to exfiltrate sensitive commercial data. This activity often goes undetected by standard EDR because it uses native server functions.
The uncomfortable truth: Your email server remains the most valuable treasure chest for corporate espionage.
β Apply the February 2026 Cumulative Update (CU) to all Exchange Servers.
β Run a global audit of mailbox forwarding rules for all high-level accounts.
β Check your IIS logs for unusual POST requests to the /autodiscover/ endpoint.
When was the last time you audited for unauthorized forwarding rules in your executive mailboxes? π
#Cybersecurity #EmailSecurity #Infosec #ExchangeServer #CISO #CodeDefence