← CIO Briefings · Critical Impact ACTION REQUIRED

Microsoft Exchange Zero-Day: Attackers Hijacking Employee Email Sessions Without Passwords via OWA Exploit

Microsoft disclosed an actively exploited zero-day in Exchange Server's Outlook Web App that allows attackers to hijack authenticated email sessions and read all email without knowing passwords. No patch is available. Microsoft has deployed an automatic mitigation but on-premises Exchange customers must verify it has applied. Nation-state targeting of government and finance sectors has been confirmed.

3 min read
#NIS2#GDPR#DORA

What Happened

Microsoft confirmed that a previously unknown vulnerability in its Exchange Server email platform — the software used by many organisations to run their internal email systems — is being actively used in attacks. The flaw (CVE-2026-42897) allows an attacker to send a specially crafted email to a target; when the target opens the email using the web-based Outlook interface (OWA), the attacker gains the ability to read all of the target’s emails and access their account without needing their password.

This type of attack, known as session hijacking, works because the target’s computer already has a valid login session open with the email server. The malicious email effectively steals the “key” to that session, giving the attacker full access to the mailbox — including all emails, calendar entries, and contacts — without any further user action.

Microsoft has not yet released a permanent fix (patch). An automatic interim protective measure was deployed to Exchange servers on 15 May, but organisations must verify it applied correctly.

Business Impact

Email accounts accessed via this exploit can expose:

  • Executive and board communications: Strategy discussions, M&A activity, legal correspondence
  • Finance and treasury operations: Banking details, financial forecasts, transaction authorisations
  • HR and personnel data: Employee personal information, triggering GDPR notification obligations
  • Customer data shared via email: Any customer information communicated through the compromised account

The observed targeting of government and financial services sectors by nation-state actors suggests intelligence collection as the primary objective. However, criminal groups typically begin exploiting similar techniques for business email compromise and financial fraud within days of a nation-state campaign becoming public.

Regulatory Implications

If an email account at your organisation is compromised via this exploit and personal data is accessed, GDPR Article 33 requires notification to your supervisory authority within 72 hours. NIS2 organisations (essential and important services) must notify their national CSIRT of significant incidents within 24 hours. DORA financial entities: assess whether email system compromise constitutes a major ICT-related incident under your incident classification framework.

Board-Ready Summary

  • Attackers are using an unpatched flaw in Exchange Server to read employees’ emails without knowing their passwords.
  • Confirmed attacks are targeting government agencies and financial institutions, suggesting sensitive corporate communications are of interest to the attackers.
  • Verify that the automatic protective measure has applied to your email servers today; prepare to apply an emergency patch when Microsoft releases it.
  1. Immediate (0–24 hours): Verify the EEMS mitigation applied to all Exchange Servers: run Get-ExchangeDiagnosticInfo -Server <ServerName> -Process EdgeTransport -Component RuleUpdateStatus. Confirm the rule status is Active.
  2. If EEMS is disabled or not applied: Re-enable EEMS (Set-ExchangeServer -MitigationsEnabled $true) or apply Microsoft’s manual mitigation guidance from the MSRC advisory.
  3. Consider disabling OWA temporarily: If business operations permit, disabling Outlook Web App eliminates the attack vector entirely until a patch is available. Redirect affected users to the Outlook desktop client or mobile app.
  4. Hunt for exploitation: Review Exchange and IIS logs for patterns matching the CVE-2026-42897 attack signature. Specifically look for emails with unusual header structures opened via OWA followed by anomalous API calls within the same session.
  5. Patch immediately when available: This is an actively exploited zero-day. When Microsoft releases the patch, apply it within 24 hours, not at the next scheduled maintenance window.