An employee opens an email in Outlook Web Access. They don't click a link. They don't open an attachment. They read it — that's the whole attack.
By the time they reach the signature, JavaScript embedded in the message is already running inside their authenticated session: reading their mailbox, lifting their credentials, sending messages as them. There is no malware on the endpoint. There is no exploit chain to a domain controller. There is only the user's own session, doing things the user never did. And in every log you have, the user did all of it.
The flaw: a weaponized email
On June 9, 2026, Microsoft shipped an emergency fix for CVE-2026-42897, a zero-day in on-premises Exchange Server already under active exploitation. Technically it's a spoofing flaw — improper neutralization of input during web-page generation, which is the formal way of saying cross-site scripting in Outlook Web Access. Rated critical at CVSS 8.1.
The mechanics are brutally simple. An attacker sends a crafted email. The victim opens it in OWA. Arbitrary JavaScript executes in their browser session, and from there the attacker can spoof email, steal credentials, hijack the session, and perform actions on behalf of the compromised user. It affects every update level of Exchange Server 2016, 2019, and Subscription Edition. No privileged access required on the attacker's side, and the only "user interaction" needed is the one thing email is designed to make people do: open the message.
The crown jewel of most enterprises isn't a database. It's the mail server — because it's where identity, communication, and trust all converge. Compromise it and you don't break in. You become the company's voice.
Why the mail server is the worst place for this
Exchange isn't just where email lives. It's an identity system. It holds the conversations attackers use to pivot, the password-reset flows they hijack, the org chart they impersonate. An attack that runs inside a trusted OWA session inherits all of that — and wears the user's identity while it does.
That's what makes CVE-2026-42897 nastier than its modest score suggests. There's no second-stage payload to flag, no anomalous process tree, no beacon to a command server. The malicious actions are HTTP requests issued by a legitimate, authenticated browser session — indistinguishable, on their face, from the user simply working in their inbox. The attacker isn't hiding from your detection. They're wearing your user as a disguise.
What the SOC actually sees
Pulled apart into individual events, the attack is invisible. "User opened an email" — happens ten thousand times a day. "User accessed mailbox items" — that's the job. "User sent messages" — normal. "Credential used from the session" — the session is authenticated, so of course it is. Not one of those lines, on its own, is worth chasing.
The breach exists only in the contradictions between them: script execution inside OWA, followed within seconds by a burst of mailbox actions and a credential touch that don't match how this human actually works. Each signal is benign alone. Correlated, in order, they are a session being driven by someone who isn't the user. The tell was always there — it just required holding every event at once and asking a question most stacks never ask: is this really them?
How n0limit catches the session that isn't the user
n0limit treats every action inside a session as something to investigate, not something to wave through because the session authenticated. When script executes in an OWA context and is followed by mailbox and credential activity that contradicts the user's established pattern, those events aren't filed separately under "normal user behavior" — they're enriched, correlated, and resolved to a verdict in under 500 microseconds, and surfaced as a single session-hijack incident with the reasoning trail attached.
That speed is the difference between a contained session and a stolen identity. A verdict in microseconds means the session can be killed before the credentials are reused, before the spoofed emails go out, before the attacker pivots from one inbox into the rest of the estate. An operator — or an auditor asking how an account did things its owner swears it didn't — sees exactly why the session was flagged, not just that access was granted.
The mail server is an identity system, and attackers have figured out that the cleanest way past your defenses is to become one of your people. Any SOC that treats "the user did it" as the end of the investigation will keep losing to attacks that wear the user. The only answer is a verdict that asks whether it's really them — and reaches it at machine speed, while the session is still open.
REFERENCES
BleepingComputer — Microsoft patches Exchange Server zero-day exploited in attacks → Cyber Security News — Exchange Server 0-day exploited using weaponized email → SecurityWeek — Microsoft warns of Exchange Server zero-day exploited in the wild → Microsoft Security Response Center — CVE-2026-42897 →Related from The Signal
When the attacker wears the user, ask if it's really them.
See n0limit investigate and correlate every session action to a verdict in under 500 microseconds — with a reasoning trail you can audit.
Book a demo →Get The Signal in your inbox
Practitioner-level threat intel, delivered when it matters.