Plaintext with Rich
Cybersecurity is an everyone problem. So why does it always sound like it’s only for IT people?
Each week, Rich takes one topic, from phishing to ransomware to how your phone actually tracks you, and explains it in plain language in under ten minutes or less. No buzzwords. No condescension. Just the stuff you need to know to stay safer online, explained like you’re a smart person who never had anyone break it down properly. Because you are!
Plaintext with Rich
Microsoft Exchange Zero-Day Under Attack: One Email Hijacks OWA
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
It's Monday morning. You open the third email of the day. Nothing visible happens, but in the background, an attacker just borrowed the proof you were logged in.
Episode 28 of Plaintext with Rich is a hot take on CVE-2026-42897, the Microsoft Exchange Server zero-day under active exploitation right now. We break down what cross-site scripting actually does inside Outlook Web Access, why session hijacking is more dangerous than the underlying bug, and how a single crafted email becomes business email compromise. We look at the on-premises versus Exchange Online divide, why ProxyLogon and ProxyShell aren't ancient history yet, and what CISA's Known Exploited Vulnerabilities catalog listing and the May 29 federal deadline mean for everyone else. The episode closes with a Plaintext Starter Kit of four moves any on-prem Exchange team should make this week.
If you run on-prem Exchange, support someone who does, or you've been putting off the migration conversation, this one is for you.
Ten minutes. One topic. No panic.
Is there a topic/term you want me to discuss next? Text me!!
YouTube more your speed? → https://links.sith2.com/YouTube
Apple Podcasts your usual stop? → https://links.sith2.com/Apple
Neither of those? Spotify’s over here → https://links.sith2.com/Spotify
Prefer reading quietly at your own pace? → https://links.sith2.com/Blog
Join us in The Cyber Sanctuary (no robes required) → https://links.sith2.com/Discord
Follow the human behind the microphone → https://links.sith2.com/linkedin
Need another way to reach me? That’s here → https://linktr.ee/rich.greene
The One Email Trap
SPEAKER_00It's Monday morning. You open your inbox. 28 emails over the weekend. You click the third one. The sender looks fine. The subject line is reasonable. The body looks normal. You read it. You close it. Nothing happened. So you think. In the background, your browser just ran a small piece of code the attacker hid inside the message. That code grabbed the proof you were logged in, not your password. The thing that comes after your password, the signed wristband that says this person is allowed to be here right now. The attacker didn't need to know your password. They didn't need your MFA code. They just needed you to open the email. That's CVE 2026 42897. We're going to come back soon to breaking that down in a moment. This one is the exchange flaw that might be on a lot of people's whiteboards right now.
What A CVE And Zero Day Mean
SPEAKER_00Welcome to Plain Text with Rich. Today we're talking about a fresh vulnerability in Microsoft Exchange, how a single email can hijack a webmail session, and why this keeps happening to on-premise exchange specifically. Now, a quick translation on the label I had mentioned, right? Because we're going to use it more than once. CVE stands for Common Vulnerabilities and Exposures. It's the global naming system for publicly disclosed security flaws. Every vulnerability that goes public gets one of these IDs, so the whole industry can talk about the same bug without confusion. The 2026 is the year it was assigned. The number after it is just unique sequential identifier. And another term I want to explain is zero day, because we're going to mention that word as well. And that simply means there is no patch yet. The vendors had, well, zero days to prepare. The attackers found it first. The vendor is racing to catch up, and the rest of us, we're just stuck with workarounds. Now, this particular bug is a cross-site scripting flaw, or what you might see as XSS. That's what happens when a website accidentally treats something the attacker wrote as code instead of as text. The attacker sends content, the website forgets to check it, the website's own page then runs the attacker's
How XSS Hits Outlook Web Access
SPEAKER_00code in your browser. That's it. Bad input, trusted spot, code runs. Here's what makes this one specific. The website in question is Outlook Web Access, or what you might again hear or read as OWA. The browser version of Outlook your company uses when staff are remote on a personal laptop or just don't have the desktop app open. And the attacker writes a carefully crafted email. Now, HTML email is supposed to allow formatting, images, links. It's not supposed to run JavaScript when you read it. But Microsoft's Exchange server in certain on-prem versions, okay, isn't catching one specific pattern. A piece of JavaScript inside that email slips through. When you open the message in OWA, the script runs inside the same browser tab that's already signed into your mailbox. Now here's the part that matters. The attacker isn't taking over the Exchange server. They're not breaking into Microsoft. They're taking over your already open webmail session. Imagine you walk into your house, take off your coat, and you sit down. Someone slips in behind you while the door is still closing. They didn't need a key, the door was still open, they're in. That's session hijacking. The attacker doesn't need your password again. They don't need your MFA codes. They just borrow the open door of your already trusted session.
Session Hijacking Without Passwords
SPEAKER_00Well, you might be asking, what can they do with it? Well, they can read your email, they can send email as you set up, you know, hidden forwarding rules that quietly copy every message to an outside address. That rule can potentially survive a password reset. Now translate that to a business. The CFO's mailbox gets hijacked. CFO, chief financial officer. The attacker reads maybe three weeks of context. They wait until a real wire transfer is being discussed, then they reply as the CFO redirecting the payment. That's how BEC or business email compromise works. And the entry point was one email.
From Inbox Access To Wire Fraud
SPEAKER_00Here's the part people are arguing about though. Microsoft sells Exchange two ways. Exchange Online is the version Microsoft hosts. You don't manage the server. They patch it, they monitor it. When something breaks, it's their pager that goes off. Now, Exchange Server On-Prem is the version you install on your own hardware in your own building. You manage it, you patch it, you monitor it, you schedule the maintenance windows. When a flaw shows up in the on-prem version, three things have to happen. Microsoft has to ship the fix. You have to download it. You have to install it without breaking email for the whole company. That can potentially be a lot of friction. The cloud version skips that friction. Microsoft pushes the fix and it's done. And this isn't the first time. Proxy login in 2021, Proxy Shell later that year. Tens of thousands of on-prem exchange servers got compromised because the gap between disclosure and patch deployment is just wide enough for attackers to win the race. And that's the pattern. On-prem exchange has been a recurring target because the patch lifecycle is harder and every unpatched server is a public-facing inbox attackers can
Why On-Prem Exchange Keeps Getting Hit
SPEAKER_00poke at. Now, CISA, the U.S. Cybersecurity and Infrastructure Security Agency, added the CVE to their known exploited vulnerabilities catalog on May 15th. They gave federal agencies until May 29th to apply mitigations. If your organization runs on-prem exchange, treat that deadline as yours too, even if you're not federal. And we've already passed it. By the time you hear this, that's already passed. There's no full patch yet. Microsoft has a temporary mitigation that auto-applies, you know, through the Exchange Emergency Mitigation Service. It blocks the specific attack path using something called a content security policy. That's a header that tells the browser what's allowed to run on a page. The mitigation tells the browser don't run any inline JavaScript inside OWA. And that works for now, but mitigations aren't patches. They're tape over the hole until Microsoft ships the
CISA Deadlines And Temporary Mitigation
SPEAKER_00real fix. So what do you actually do? All right, here's our starter kit. One, verify the mitigation is actually applied. Run the exchange health checker. Confirm the relevant M2 entry shown as applied. Microsoft has acknowledged a known issue where the status text can look wrong even when the mitigation is in place. So don't assume verify. Number two, audit mailbox forwarding rules. Pull a report of every inbox rule across your tenant. Look for forwards to outside addresses. Look for rules that quietly delete or move messages with words like invoice, wire, payment. Okay. Active exploitation
Your Starter Kit To Respond
SPEAKER_00was happening before disclosure. So do this even if nothing looks wrong yet. Number three, reset OWA sessions. If session tokens may have been stolen, invalidate them. Make people sign back in. It's a small annoyance compared to letting a hijacked session keep running quietly in the background. Four, have the migration conversation. This isn't a sales pitch for cloud, it's a planning conversation. If you've been running on-prem exchange because nobody scheduled the meeting, this is your reason to schedule it. Look at your options and make a decision. So a quick recap: one craft and email, open in webmail, JavaScript runs inside your already signed in tab. Attacker takes your session, reads your mail, sends as you plants a quiet forwarding rule. No password needed, no MFA bypass needed, just one open message in a browser. On-prem exchange keeps getting hit because the patch race is real and the mitigation is only as good as the next variation of the attack.
Recap And How To Reach Us
SPEAKER_00If you're listening in a browser, hit subscribe in whatever app you use. It's the single best way to make sure you don't miss the next one. I want to hear from you. Questions, pushback, war stories from the on-prem trenches. Email, DM, leave a comment. Every message gets read and I will respond. And yes, you can send me an actual email. Just promise it doesn't contain JavaScript. Now, if this episode helped, please share it with someone who would actually benefit as well. This has been Plain Text with Rich. One topic, 10 minutes, no panic. I'll see you next time.