Squirrelwaffle targeted vulnerable exchange servers to spread malspam through hijacked email threads as reported by the Sophos tech. As per the experts, the Squirrelwaffle is a new malware loader that was discovered back in September 2021.

Sophos’ security team recently investigated and found that malware was used in conjunction with Proxy Login and Proxy Shell exploits which mainly target an unpatched MS Exchange server.


It’s a malware loader that is distributed as a malicious office document in phishing campaigns. Whenever the malware is infected in the target system, Squirrelwaffle typically downloads executes Cobalt Strikes beacons and gives system control to the attackers.

And as per Sophos, the malware attack ends when the vulnerable servers are patched and remediated which removes the attacker’s ability to send mails. Also, attackers use typo-squatted domains which means domains that appear to be legitimate so to lure the users to reply to the typo-squatted domains such for example if the Original vendor from Microsoft appears to be: [email protected] and typo-squatted domains appears to be xyz@m!cros0ft.com which is suspicious. 


  • Exchange servers need to be patched with the latest Microsoft updates.
  • Defenders to make sure original emails been sent to users need to implement industry-standard phishing email or spoofed mail detection such as SPF (Sender Policy Framework), DKIM (Domain Keys Identified Mail), DMRAC (Domain Message Authentication Reporting and Conformance).  
  • To implement a Proper incident response plan in the organization.
  • Always monitor for typo-squatted domains which might sometimes be used by the attackers to target the Company employees and products.
  • Create user awareness training for internal employees on such attacks.      

By Michael

Writer of Infohaunt is an Cyber Security Professional have experience in SOC operations, Threat Management, Incident Response, Threat Hunting, Digital Forensics.