Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities

Volexity reports active attacks against Microsoft Exchange that chain an authentication bypass and an RCE (via Set-OabVirtualDirectory) to access mailboxes and drop webshells (SIMPLESEESHARP, SPORTSBALL and others); attackers then perform credential dumping, lateral movement, and data exfiltration. The report supplies detailed IOCs (targeted OWA/ECP paths, suspicious POST entries, User-Agent strings, attacker IPs), examples of exploit activity in logs, and YARA signatures for webshells, and urges immediate patching or isolation of Exchange servers.