Exchange CVE-2026-42897 Threat Hunting Guide: Identifying Session Hijacking in OWA Logs

CVE-2026-42897 is being actively exploited. The Microsoft Exchange Emergency Mitigation Service (EEMS) automatic mitigation applies a protective rule to exchange servers, but the mitigation is not a patch — it blocks known exploitation patterns but may not cover all variants. For organisations running on-premises Exchange Server or hybrid Exchange, active threat hunting for existing compromise is essential.

This guide covers the log sources, search patterns, and analytical approaches that reveal CVE-2026-42897 exploitation activity.

Understanding the Attack Pattern

CVE-2026-42897 is an XSS vulnerability in Outlook Web App (OWA). The attack chain works as follows:

1. The attacker sends a crafted email to a targeted Exchange user
2. The target opens the email in OWA (the browser-based webmail interface)
3. The XSS payload executes in the target’s browser, capturing their OWA session token
4. The stolen session token is sent to attacker infrastructure — typically via a crafted image request or background fetch() call
5. The attacker reuses the session token to access the target’s mailbox from a different IP address and browser

The key observable: after step 4, the attacker’s session activity appears as OWA API calls using the stolen token from a new IP address, browser, or geographic location.

Log Sources to Review

IIS Logs on Exchange Servers (%SystemDrive%\inetpub\logs\LogFiles\W3SVC1): These are the primary source for OWA access patterns. Look for the specific request patterns that the XSS payload sends to exfiltrate the session token — typically an unusual outbound GET or POST from OWA to an external image URL or fetch endpoint.

Exchange Audit Logging: If mailbox audit logging is enabled (and it should be — Set-MailboxAuditBypassAssociation should show no bypass users), audit logs record what was accessed in each mailbox session. A compromised session will typically show rapid mailbox searches, folder enumeration, and email access that diverges from the legitimate user’s normal usage pattern.

Microsoft Entra Sign-In Logs (for hybrid deployments): If Exchange is integrated with Azure AD for Conditional Access, sign-in logs will show the token-based session. Look for OWA access from unusual IP geolocation, new device fingerprints, or concurrent sessions from different countries.

KQL Queries for Microsoft Sentinel

Detecting session reuse from a new IP within a short window:

SigninLogs
| where AppDisplayName contains "Exchange"
| where ClientAppUsed == "Browser"
| summarize 
    IPAddresses = make_set(IPAddress),
    Countries = make_set(LocationDetails.countryOrRegion),
    Sessions = count()
    by UserPrincipalName, bin(TimeGenerated, 1h)
| where array_length(IPAddresses) > 1
| where Sessions > 5

Detecting OWA access followed by bulk email access indicative of post-compromise intel collection:

OfficeActivity
| where Operation in ("MailItemsAccessed", "FolderBind", "SearchQueryInitiatedExchange")
| where ClientInfoString contains "OWA"
| summarize 
    AccessCount = count(),
    UniqueIPs = dcount(ClientIPAddress)
    by UserId, bin(TimeGenerated, 30m)
| where AccessCount > 50
| where UniqueIPs > 1

Hunting for XSS payload delivery — emails with unusual attachment or body patterns:

EmailEvents
| where EmailDirection == "Inbound"
| where ThreatTypes has_any ("Phish", "Spam")
| join EmailUrlInfo on NetworkMessageId
| where UrlDomain !in~ (TrustedDomains)
| where isnotempty(Url)
| project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, Url

Signs of Active Exploitation to Investigate

• Concurrent OWA sessions from geographically distant IPs within the same time window — the stolen session runs in parallel with the legitimate user’s session
• OWA API calls to mailbox search or folder list endpoints at unusual hours for the specific user
• Forwarding rule creation shortly after an OWA session: attackers often create inbox forwarding rules immediately after gaining access to maintain persistent visibility into future communications
• Emails sent from OWA session that the legitimate user did not authorise — used for further phishing within the organisation

Immediate Containment Actions If Compromise is Confirmed

1. Reset the compromised user’s passwords and revoke all active tokens via Azure AD: Revoke-AzureADUserAllRefreshToken
2. Disable OWA access for the affected user while investigation continues
3. Audit mailbox access: export the full mailbox audit log for the affected user from the compromise window to determine what was accessed
4. Check and remove forwarding rules: Get-InboxRule -Mailbox <user> | Where-Object {$_.ForwardTo -ne $null}
5. Review sent items and deleted items folders for attacker-generated emails or data staged for exfiltration

EEMS mitigation status can be confirmed with: Get-ExchangeDiagnosticInfo -Server <ServerName> -Process EdgeTransport -Component RuleUpdateStatus. An Active status indicates the mitigation is in place, but does not confirm the server was not exploited before the mitigation applied.