Hal Pomeranz · Apr 20, 2022 · 11:58 AM UTC

Hal Pomeranz · Apr 20, 2022 · 11:58 AM UTC

Hal Pomeranz

Hal Pomeranz @hal_pomeranz

20 Apr 2022

Actually let me quote tweet this so it’s easier for everybody to see

Hal Pomeranz @hal_pomeranz

20 Apr 2022

Replying to @uplinc

The most common indicator we’re seeing is w3wp.exe spawning csc.exe. Look for webshells under …\Exchange Server\*\FrontEnd\HttpProxy\{owa,ecp}\*

Apr 20, 2022 · 11:58 AM UTC

c3b4rc3b4r · Apr 20, 2022 · 5:54 PM UTC

c3b4rc3b4r @c3b4rc3b4r

20 Apr 2022

Replying to @hal_pomeranz

To be clear - is there a new attack currently going on?

eternalyperplxed@infosec.exchange · Apr 20, 2022 · 12:00 PM UTC

eternalyperplxed@infosec.exchange @rstasiunas

20 Apr 2022

Replying to @hal_pomeranz

Wouldn't it be easier at this point for Microsoft to just adopt webshells as a standard email transport protocol? That way they can claim it's a feature and not a bug! /s