Microsoft Exchange ECP Probe (ProxyShell / ProxyLogon) for 2026-03-12
Mar 12, 2026
WebExploit
Last Updated: 12:11 UTC
The Exchange Control Panel (/ecp/) is the attack surface for ProxyLogon (CVE-2021-26855) and ProxyShell (CVE-2021-34473/34523/31207). Both exploit chains begin with ECP requests and achieve unauthenticated RCE leading to ASPX webshell deployment on the Exchange server.
CVE References
MITRE ATT&CK
Tactic: Initial Access (TA0001)
Technique: T1190 — Exploit Public-Facing Application
Observed URIs
/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application
Attackers by Country
IP Address : ASN : City/Provider
- 40.119.24.130 : AS8075 microsoft corporation : San Antonio