Squirrelwaffle is a malspam loader that emerged in September, 2021 which utilizes malicious links or Microsoft Office files spread through spam campaigns that trigger and infection chain upon being opened. ProxyLogon and Proxyshell were two exploits used in the attacks.
Vulnerabilities CVE-2021-26855 (ProxyLogon), CVE-2021-34473and CVE-2021-34523 (ProxyShell) were used in the exploitation of the servers. ProxyLogon is a server-side request forgery (SSRF) vulnerability that allows threat actors to access an exchange server by sending a specially crafted web request. The ProxyShell vulnerability on the other hand abused URL normalization of explicit Logon URLs to access the exchange machines. The other PowerShell vulnerability can be used to impersonate a local administrator to run PowerShell commands.
The malicious emails contain malicious Microsoft Excel or Word files which lead to downloading ZIP files on the system and executes the malicious DLL.
Block all threat indicators at your respective controls.
Search for IOCs in your environment.
Download patches for all the CVEs mentioned above at
Use Detection and Protection services like XDRs, SOARs, and EDRs