Microsoft Exchange ECP Probe (ProxyShell / ProxyLogon) for 2026-03-05
Mar 05, 2026
WebExploit
Last Updated: 12:11 UTC
The Exchange Control Panel (/ecp/) is the attack surface for ProxyLogon (CVE-2021-26855) and ProxyShell (CVE-2021-34473/34523/31207). Both exploit chains begin with ECP requests and achieve unauthenticated RCE leading to ASPX webshell deployment on the Exchange server.
CVE References
MITRE ATT&CK
Tactic: Initial Access (TA0001)
Technique: T1190 — Exploit Public-Facing Application
Observed URIs
/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application
Attackers by Country
IP Address : ASN : City/Provider
-
157.245.36.108 : AS14061 digitalocean llc : London
-
207.154.197.113 : AS14061 digitalocean llc : Frankfurt am Main