Microsoft confirmed on 15 May that CVE-2026-42897 — a cross-site scripting vulnerability in Exchange Server’s Outlook Web App — is being actively exploited in targeted attacks. The zero-day allows an attacker to inject malicious JavaScript into an authenticated OWA session, enabling session token hijacking, email exfiltration, and potential lateral movement via Exchange impersonation. No patch is currently available. Microsoft has deployed a mitigating rule via the Exchange Emergency Mitigation Service (EEMS) and CISA has added the vulnerability to the Known Exploited Vulnerabilities catalogue.
Technical Detail
The vulnerability exists in Exchange Server’s rendering of certain message header fields in Outlook Web App. When a user opens a specifically crafted email in OWA, Exchange fails to properly sanitise a header field value that is reflected in the OWA interface, resulting in the execution of attacker-controlled JavaScript in the context of the victim’s OWA session.
The attacker’s JavaScript can:
- Extract the victim’s OWA session cookie and transmit it to an attacker-controlled server, enabling session hijacking without password theft
- Silently forward email content and attachments to attacker-controlled email addresses
- Use Exchange’s MAPI-over-HTTP API with the session token to search and exfiltrate mailbox contents
- Trigger searches across the user’s entire mailbox, potentially recovering sensitive communications, credentials shared via email, or internal documents
The attack requires sending a specially crafted email to a target whose mailbox is hosted on an on-premises Exchange Server and who opens the email in OWA. Exchange Online (Microsoft 365) is not affected.
Active Exploitation Context
Microsoft’s threat intelligence team identified targeted exploitation of CVE-2026-42897 prior to Microsoft’s own disclosure. Attribution has not been published, but the targeting pattern — focused on government, defence, and financial services sectors — is consistent with nation-state reconnaissance operations interested in email intelligence.
Interim Mitigation
Microsoft deployed an EEMS rule (Emergency Mitigation Service — Exchange Server’s automated threat response mechanism) on 15 May that blocks the specific attack vector through HTTP request pattern matching. EEMS updates are applied automatically to Exchange Servers with EEMS enabled.
To verify EEMS is enabled and the mitigation has applied: Get-ExchangeDiagnosticInfo -Server <ServerName> -Process EdgeTransport -Component RuleUpdateStatus
Additional manual mitigations whilst awaiting a patch:
- Disable OWA: If OWA is not operationally required, disabling it eliminates the attack surface. Consider directing users to the Outlook desktop client exclusively.
- Network access controls: Restrict OWA access to known IP ranges or require VPN access before OWA is reachable. This limits attacker ability to interact with the XSS payload.
Recommended Actions
- Verify EEMS is active: Confirm the EEMS rule has applied to all Exchange Servers. Servers that have been isolated from internet access for EEMS updates may not have received the mitigation.
- Enable EEMS if disabled: If EEMS was disabled for any reason, re-enable it to receive the mitigation:
Set-ExchangeServer -MitigationsEnabled $true. - Hunt for exploitation: Review Exchange and IIS logs for the header pattern identified in Microsoft’s advisory. Look for anomalous OWA session activity — logins from new IPs, mass email access, or unexpected email forwarding rule creation.
- Patch immediately when available: This is an actively exploited zero-day in widely deployed email infrastructure. Patch upon release without waiting for scheduled maintenance.
Share this article