Microsoft Exchange ProxyShell Scanning Doubles in April 2026 as Two Distinct Campaign Clusters Emerge

Introduction

F5 Labs honeynet sensors recorded a sharp increase in Microsoft Exchange exploitation activity during April 2026, driven primarily by renewed interest in the ProxyShell vulnerability chain. While these vulnerabilities have been publicly known and patched for several years, scanning continues at scale across internet facing Exchange servers.

The activity observed this month highlights two distinct patterns. A steady baseline of ProxyLogon probing remains in place, while a separate campaign targeting ProxyShell shows clear signs of growth, including higher volumes and rotating infrastructure. This article examines how these two streams of activity differ, what is driving the increase, and why older Exchange vulnerabilities continue to attract attention from threat actors.

Microsoft Exchange ProxyShell Scanning Doubles in April 2026

Throughout April 2026, our sensors recorded a substantial surge in exploitation attempts targeting Microsoft Exchange Server vulnerabilities. The ProxyShell/ProxyLogon/ProxyNotShell signature group generated over 13,300 raw events across five co-occurring CVE signatures, with the ProxyShell chain driving the bulk of the increase.

The most frequently triggered signature, CVE-2021-34523, recorded 13,361 raw events in April, up from 6,492 in March, a 106% increase. CVE-2021-34473 and CVE-2022-41040 each rose from 4,232 to 11,768 events, an increase of approximately 178%. In contrast, CVE-2021-26855 held essentially flat at 2,710 events (compared to 2,713 in March), and CVE-2022-41082 declined slightly from 2,780 to 2,251 events.

This divergence in volume trends across the signature group is significant. It reveals that the activity is not a single monolithic campaign but rather two operationally distinct scanning clusters with different infrastructure, targeting patterns, and growth trajectories.

Cluster 1: Stable ProxyLogon Scanning from Azure Infrastructure

A group of five Azure-hosted IP addresses focused exclusively on CVE-2021-26855 (the ProxyLogon SSRF vulnerability). Each IP generated between 190 and 262 CVE-tagged events alongside 460 to 665 generic reconnaissance events against email infrastructure. Total volume for this cluster held steady at approximately 2,710 events, virtually unchanged from March. This consistency suggests a long-running, automated scanning operation that has been operating at a fixed cadence for an extended period.

Cluster 2: Expanding ProxyShell Campaign from European and Cloud VPS

The driver of the volume increase was a separate campaign targeting the ProxyShell chain (CVE-2021-34523, CVE-2021-34473, CVE-2022-41040). This cluster sourced from a rotating set of European hosting providers and US cloud platforms. The top sources in April included:

Table 1: ProxyShell campaign sources

A critical finding is the significant IP rotation between months. Most of April's top sources were absent from March data. Only 77.246.106.116 (NL) persisted across both months, increasing its volume by 82% (from 1,008 to 1,836 events). Meanwhile, previously active IPs like 76.9.201.201 (CA, 1,188 events in March) and 146.70.170.83 (NO, 900 events in March) dropped out entirely. This rotation pattern is consistent with operators cycling through VPS instances to evade IP-based blocking, indicating active infrastructure management.

Burst Scanning Pattern

The daily event timeline for the ProxyShell cluster reveals a distinctive pattern of high-volume bursts separated by periods of inactivty, rather than continuous scanning:

• April 16: 2,619 events (monthly peak)
• April 20: 2,452 events
• April 17: 1,228 events
• April 24: 1,213 events
• April 30: 1,228 events
• Inactivity: April 1, 4, 6, 8, 12, 19, 22, 26

The roughly 3 to 4 day cadence between major bursts is characteristic of scheduled scanning operations that process target lists in batches rather than running continuous crawls. Similar burst patterns were visible in earlier months (e.g., January 22 at 2,430 events, March 6 at 1,045 events), though April's peaks were notably larger, consistent with the overall volume increase.

Vulnerability Context

All five CVEs in this signature group affect Microsoft Exchange Server (on-premises versions 2013, 2016, and 2019) and are confirmed on the CISA Known Exploited Vulnerabilities (KEV) catalog with documented associations to ransomware campaigns.

Table 2: CVE overview

These vulnerabilities range from three to five years old, with patches available since March 2021 (ProxyLogon), August 2021 (ProxyShell), and November 2022 (ProxyNotShell). Their continued and growing exploitation in April 2026 confirms that a meaningful population of unpatched on-premises Exchange servers remains exposed on the internet.

How These Vulnerabilities Work

The five CVEs observed in this activity form three related but distinct attack chains, all targeting the same product: Microsoft Exchange Server's Client Access Service (CAS), which handles HTTP-based protocols like Outlook Web Access, Exchange Web Services, and Autodiscover.

ProxyLogon Chain (CVE-2021-26855)

CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in the Exchange Server's CAS proxy logic. The flaw exists in how Exchange handles HTTP requests to backend services. An unauthenticated attacker can send specially crafted requests to the Exchange server that cause it to authenticate to internal backend services as the SYSTEM account. Specifically, the vulnerability allows an attacker to forge requests that bypass authentication by manipulating the X-BEResource cookie, causing the CAS frontend to proxy requests to arbitrary backend URLs with elevated privileges.

The impact: an attacker can read email from any mailbox, write files to any path on the Exchange server (enabling web shell deployment), and access internal services that should not be externally reachable.

Affected versions: Exchange Server 2013, 2016, and 2019 prior to the March 2021 security updates.

ProxyShell Chain (CVE-2021-34473, CVE-2021-34523)

CVE-2021-34473 is a pre-authentication path confusion vulnerability in Exchange Server's Explicit Logon feature. The CAS frontend normalizes URLs before routing them to backend services, but a flaw in this normalization allows an attacker to access backend URLs that should require authentication. By crafting a URL with a specific Autodiscover endpoint pattern, an attacker can reach the Exchange PowerShell backend without authenticating. This effectively provides unauthenticated access to Exchange's management interface.

CVE-2021-34523 is a privilege escalation vulnerability in the Exchange PowerShell backend. When the path confusion from CVE-2021-34473 delivers an unauthenticated request to the PowerShell remoting endpoint, this second flaw allows the attacker to impersonate the Exchange mailbox of the SYSTEM account. The backend fails to properly validate the caller's identity when the request arrives through the confused proxy path, granting the attacker administrative Exchange PowerShell access.

When chained together (and typically with a third vulnerability, CVE-2021-31207, for mailbox export to write web shells), the ProxyShell chain provides unauthenticated remote code execution. The attacker gains the ability to execute arbitrary commands on the Exchange server, deploy persistent backdoors, and pivot into the internal network.

Affected versions: Exchange Server 2013, 2016, and 2019 prior to the April and May 2021 cumulative updates.

ProxyNotShell Chain (CVE-2022-41040, CVE-2022-41082)

CVE-2022-41040 is an SSRF vulnerability similar in nature to ProxyLogon but exploited through a different request path. It allows an authenticated attacker to trigger server-side requests by manipulating the Autodiscover endpoint. Unlike ProxyLogon and ProxyShell, this vulnerability requires valid credentials (even low-privilege mailbox credentials suffice), which is a meaningful limitation but one easily overcome through credential stuffing or phishing.

CVE-2022-41082 is a remote code execution vulnerability in Exchange Server's PowerShell remoting component. When chained with CVE-2022-41040, the SSRF is used to reach the PowerShell backend, where this RCE flaw allows execution of arbitrary commands. The mechanism is similar to ProxyShell's PowerShell abuse but exploits a different code path that was not addressed by the original ProxyShell patches.

Affected versions: Exchange Server 2013, 2016, and 2019 prior to the November 2022 security updates.

Threat Assessment

Operational Intent

The combination of all five CVEs carrying confirmed ransomware campaign associations on the CISA KEV catalog provides strong context for the likely intent behind this scanning. The ProxyShell and ProxyLogon chains have been extensively documented as initial access vectors for ransomware operations, including campaigns by Conti, LockBit, BlackCat/ALPHV, and various access brokers who sell Exchange server access on criminal marketplaces.

The scanning observed here represents the reconnaissance and initial exploitation phase of this kill chain: identifying internet-facing Exchange servers that remain vulnerable, with the goal of establishing initial access (typically via web shell deployment) that can later be monetized through ransomware deployment or sold to other threat actors.

Two Independent Operations

The data supports the assessment that at least two independent operations are responsible for the observed activity:

1. The ProxyLogon cluster (Azure-based, stable volume, focused on CVE-2021-26855) appears to be a mature, long-running scanning operation. Its use of Azure infrastructure may be deliberate, as Azure IP ranges are less likely to be blocked by organizations that use Microsoft cloud services. The steady volume suggests this operation has found a sustainable scanning rate that avoids triggering rate-based defenses.
2. The ProxyShell cluster (European/cloud VPS, doubling volume, bursty pattern, active IP rotation) appears to be an expanding operation that is actively investing in new scanning infrastructure. The IP rotation between months, the burst scanning pattern, and the geographic diversity of source IPs all indicate a more operationally sophisticated actor that is scaling up its scanning capacity.

Whether these represent two distinct threat actors or two operational arms of the same group cannot be determined from the available data alone.

MITRE ATT&CK Mapping

Table 3: MITRE ATT&CK mapping

Trend Context

The month-over-month comparison tells a clear story of escalation for the ProxyShell campaign and stability for the ProxyLogon campaign:

Table 4: Month-over-month comparison for the ProxyShell/ProxyLogon campaign

The ProxyShell events roughly doubled, while ProxyLogon held flat and ProxyNotShell RCE declined slightly. This is not a uniform increase across Exchange exploitation; it is specifically the ProxyShell scanning campaign that is expanding. The appearance of numerous new high-volume source IPs in April, each generating roughly 1,100 to 1,200 events, suggests new scanning nodes coming online as part of a deliberate capacity expansion.

A smaller but persistent cluster of IPs in the 139.87.112.x and 139.87.113.x range (US) appeared in both March and April data at lower volumes (29 to 72 events each). This subnet's consistent, low-volume presence across months may represent a separate, more cautious scanning operation or a different actor conducting slower, more targeted reconnaissance.

These vulnerabilities, despite being three to five years old, are clearly not fading from the threat landscape. The doubling of ProxyShell scanning volume indicates that threat actors continue to find value in scanning for unpatched Exchange servers, which in turn implies that vulnerable servers continue to exist in sufficient numbers to justify the investment.

Top CVEs for April 2026

Table 5: Top 10 CVEs for April 2026

Trending CVEs for April

CVE-2025-55182

This CVSS 10.0 React Server Components pre-auth RCE vulnerability is the standout mover this month, jumping by 3,409 attacks to reach 5,554 total. The increase of over 159% month-over-month signals aggressive and accelerating exploitation by threat actors targeting modern JavaScript frameworks. Its perfect CVSS score and pre-authentication attack vector make it exceptionally dangerous. Defenders running React Server Components should treat patching as an emergency priority.

CVE-2024-4577

Despite shedding 4,289 attacks compared to the prior month, CVE-2024-4577 remains the most exploited vulnerability in our honeynet sensors with 11,982 observed attacks. This PHP CGI argument injection flaw on Windows continues to be a workhorse for automated exploitation campaigns. The decline may reflect gradual patching adoption or attacker attention shifting toward newer vulnerabilities like CVE-2025-55182. Its CVSS 9.8 rating and persistent high volume mean it should remain a top patching priority.

CVE-2025-55184

The pre-auth denial-of-service sibling to CVE-2025-55182, this vulnerability climbed three positions to fifth place with 2,715 attacks, a gain of 625. While its CVSS 7.5 score is lower than its RCE counterpart, the parallel rise suggests attackers are probing React Server Components infrastructure with both exploitation and disruption techniques. Defenders should note that patching for CVE-2025-55182 likely addresses this vulnerability as well, making a unified remediation approach essential.

CVE-2020-15505

MobileIron Core RCE re-entered the Top 10 this month with 1,667 attacks, an increase of 257. This CVSS 9.8 vulnerability is nearly five years old, yet its reappearance underscores how legacy mobile device management infrastructure remains exposed in many environments. Attackers frequently cycle back to older, reliable CVEs when scanning reveals unpatched targets. Organizations still running vulnerable MobileIron deployments face significant risk given the critical severity and proven exploitation history.

CVE-2022-41082

This Microsoft Exchange Server RCE vulnerability dropped two positions to eighth place with 2,122 attacks, a decline of 254. Alongside CVE-2021-34523 and CVE-2021-26855, all three Exchange vulnerabilities in the Top 10 showed decreasing activity this month. The collective decline across ProxyLogon and ProxyNotShell variants suggests the pool of vulnerable Exchange servers continues to shrink. However, combined these three Exchange CVEs still account for over 6,500 attacks, reinforcing that on-premises Exchange remains a high-value target.

Long Term Targeting Trends

Top CVEs

Figure 1: Six-month stacked graph of the top 5 CVEs.

In April 2026, overall exploit activity across the top five CVEs declined compared to March 2026, with total observed attempts dropping from approximately 44,342 to 35,085. CVE-2017-9841 remains the most persistently targeted vulnerability, recording 9,186 hits in April, down from its November 2025 peak of 27,075 but still consistently exploited across all 14 months observed. CVE-2024-4577 fell to 11,982 attempts after peaking at 16,271 in March 2026, though its rapid escalation since December 2025 (from 8,102 to sustained five-figure volumes) signals continued attacker interest. The two 2025-vintage CVEs, CVE-2025-55182 and CVE-2025-55184, both saw upticks in April to 2,777 and 2,715 respectively after declining in February and March, suggesting renewed scanning campaigns targeting these newer vulnerabilities.

Attack Types Over Time

Figure 2: Evolution of attack types over 6 months.

In April 2026, Predictable Resource Location surged to 831,302 events, a 21.3% increase over March's 685,078, making it the most observed attack type for the month. Cross Site Scripting (XSS) saw a dramatic spike, jumping from 81,806 in March to 220,400 in April, a 169% increase that warrants immediate attention from defenders. Path Traversal attacks nearly doubled as well, rising from 77,876 to 151,411. Command Execution declined modestly to 549,115 from 608,880, while Server Side Code Injection dropped 10.2% to 680,956. Information Leakage climbed 34.2% to 469,810, suggesting increased reconnaissance activity. The concurrent spikes in XSS, Path Traversal, and Information Leakage point to active exploitation campaigns probing web application attack surfaces, and defenders should prioritize input validation controls and directory access restrictions.

Top Source Countries

Figure 3: Source country geographical distribution.

In April 2026, the United States increased to 7,413,134 observed malicious events, a 53% increase from the previous month's 4,835,985 and the highest volume recorded in the analysis period. This spike contrasts sharply with declines across other top source countries. Germany dropped 29% from 3,560,239 to 2,537,972, while Singapore fell 49% from 1,303,632 to 661,917. France and Canada also saw notable decreases of 40% and 44% respectively. The concentration of activity shifting heavily toward US-based infrastructure suggests attackers are increasingly leveraging domestic cloud and hosting providers, making IP-based geoblocking less viable for defenders in North America. Security teams should prioritize behavioral detection over geographic filtering, as US-sourced traffic now accounts for a disproportionate share of total malicious activity observed across our honeynet sensors.

Top Target Destinations

Figure 4: Destination target geographical distribution (normalized per sensor).

Australia

Australian sensors record a mix of web application exploitation and credential abuse, consistent with patterns seen across other English-speaking target countries. However, the timing of attack surges in Australia often follows a different diurnal cycle, suggesting threat actors operating from time zones not typically associated with campaigns against North American or European targets.

United Kingdom

Our UK-based sensors register a steady stream of web application exploitation and command injection attempts. The attack profile here is distinguished by a higher relative frequency of probing activity that targets web-facing services rather than network-layer protocols.

Canada

Attack traffic directed at Canadian sensors is characterized by persistent authentication bypass attempts and credential stuffing activity. Compared to other regions, Canadian infrastructure sees a notable proportion of automated login abuse targeting commonly exposed administrative interfaces.

Singapore

Singaporean sensors serve as a bellwether for Southeast Asian threat activity, capturing a high density of remote code execution and command injection attempts. The attack profile here is uniquely shaped by its position as a regional connectivity hub, attracting both transit-based scanning and targeted exploitation.

United States

Sensors deployed in the United States continue to absorb the highest volume of attack traffic, with a broad mix of credential brute-forcing, remote code execution attempts, and web application exploitation dominating the landscape. The sheer diversity of attack techniques observed here reflects the country's status as a primary target for both opportunistic scanning and more deliberate intrusion campaigns.

Conclusion

The Exchange activity observed in April 2026 reinforces a familiar but important reality. Older, well documented vulnerabilities continue to attract sustained attention when they affect widely deployed, internet facing services. Despite years of patch availability, ProxyShell, ProxyLogon, and ProxyNotShell remain reliable discovery targets for threat actors looking to identify exposed Exchange servers at scale.

The data shows this activity is not uniform. A steady, long running baseline of ProxyLogon scanning persists, while a separate ProxyShell focused operation is clearly expanding through increased volume, burst driven execution, and active infrastructure rotation. This divergence highlights how different operators continue to extract value from the same vulnerability set using distinct operational models.

For defenders, the presence of these scans in 2026 suggests that unpatched or insufficiently monitored Exchange servers still exist in meaningful numbers. Organizations running on premises Exchange should assume that exposure will be found quickly and repeatedly, and should prioritize patch validation, log review, and post compromise hunting rather than relying on the age of the vulnerabilities as a risk reduction factor.

Recommendations

Immediate Actions

1. Verify Exchange patch status: Confirm all on-premises Exchange Server 2013, 2016, and 2019 instances have the latest cumulative updates applied. Patches for ProxyLogon have been available since March 2021, ProxyShell since mid-2021, and ProxyNotShell since November 2022. Any server missing these updates should be treated as potentially compromised.
2. Hunt for web shells: Organizations that may have been vulnerable at any point should search for web shells in standard Exchange directories, particularly aspnet_client, OAB virtual directories, and the Exchange frontend directories. Review IIS logs for suspicious requests to /autodiscover/autodiscover.json, /mapi/nspi/, and PowerShell virtual directory endpoints.
3. Block or monitor high-volume scanning sources: The following IPs were the most active sources in April 2026:

• 77.246.106.116 (NL), 172.232.212.182 (IT), 137.184.122.215 (US)
• 2.58.46.82 (DK), 37.46.119.245 (CH), 57.129.25.97 (DE)

Note: source IPs rotate monthly, so IP-based blocking provides only short-term value.

Strategic Actions

1. Implement network segmentation: Exchange servers should be isolated from critical internal networks to limit lateral movement in the event of compromise.
2. Deploy web application firewall rules: WAF rules can detect and block ProxyShell, ProxyLogon, and ProxyNotShell exploit patterns at the network edge, providing defense-in-depth even for patched servers.
3. Do not whitelist cloud provider IP ranges: The use of major cloud platforms (Azure, DigitalOcean, Linode, OVH) for scanning means that blanket trust of cloud provider IP ranges creates blind spots for detection.