Microsoft Exchange Zero-Day Under Active Exploitation: What Organizations Need to Know

The vulnerability is tied to Outlook Web Access (OWA) and involves a cross-site scripting (XSS) and spoofing issue that could allow attackers to execute malicious JavaScript through specially crafted emails. Microsoft confirmed active exploitation but has not yet released full details on the threat actors or attack campaigns behind it. What makes this particularly concerning is the timing. Just days earlier, Microsoft’s Patch Tuesday updates were celebrated for having no actively exploited zero-days. That changed quickly with the disclosure of CVE-2026-42897 Security teams, this is another reminder that on-premises Exchange remains a high-value target. Historically, Exchange vulnerabilities have been heavily abused by ransomware groups and state-sponsored actors, including the massive 2021 Exchange compromise campaigns.

Why This Matters

Attackers targeting email infrastructure gain access to one of the most critical systems inside an organization:

• Internal communications

• Password reset flows

• Authentication links

• Sensitive attachments

• Executive conversations

  
  

Even a spoofing or XSS vulnerability in Exchange can become the first step toward phishing, session hijacking, lateral movement, or ransomware deployment.

Microsoft has provided temporary mitigation guidance while a permanent patch is being prepared. Organizations running on-prem Exchange should prioritize mitigation immediately, especially if OWA is internet-facing. Recommended Immediate Actions

• Review whether OWA is publicly accessible

• Apply Microsoft’s recommended mitigations immediately

• Monitor Exchange logs for unusual email rendering or JavaScript execution activity

• Hunt for suspicious authentication events tied to OWA sessions

• Ensure endpoint detection and response tooling is actively monitoring Exchange servers

• Restrict unnecessary external access to Exchange infrastructure

  
  

Cloud-hosted Exchange Online customers are reportedly not affected by this issue.

The bigger lesson here is simple: organizations still relying on exposed on-prem Exchange infrastructure remain in a constant race against rapidly weaponized vulnerabilities. Threat actors are increasingly exploiting the narrow gap between disclosure and patch adoption — sometimes within hours.