Exchange Server is the core email platform for many organizations; a successful exploit lets an attacker silently take over an employee's authenticated email session by sending a single malicious message. From that foothold, attackers can read and exfiltrate email, impersonate executives, move laterally into connected systems, or launch internal phishing at scale — all without requiring the victim to click a link or open an attachment beyond previewing the email. Regulatory exposure is immediate for any organization subject to data protection obligations, given email typically contains sensitive internal communications, customer data, and financial information.
You Are Affected If
You run Microsoft Exchange Server 2016, 2019, or Subscription Edition (SE) on-premises
Outlook on the Web (OWA) is enabled and accessible to users
OWA is internet-facing or accessible from untrusted networks without a WAF or IPS with XSS detection rules
EEMS is not enabled or has not yet received and applied the CVE-2026-42897 mitigation
You have not run the Exchange On-premises Mitigation Tool (EOMT) as a manual mitigation step
Board Talking Points
Attackers are actively exploiting a zero-day flaw in our on-premises Microsoft Exchange email servers that can be triggered by opening a single malicious email, with no patch yet available.
Our security team must apply Microsoft's emergency mitigation tool to all affected Exchange servers within 24 hours — this is the only available defense until a patch is released.
Organizations that do not apply this mitigation remain exposed to full email account takeover, internal data theft, and further network compromise from a single phishing email.
GDPR — Exchange email servers routinely process personal data of EU data subjects; session hijacking via OWA creates a plausible personal data breach notification obligation under Article 33
HIPAA — Healthcare organizations using on-premises Exchange for clinical or administrative email face a reportable breach risk if exploitation results in access to protected health information
PCI-DSS — If Exchange is used to transmit cardholder data or is network-adjacent to the cardholder data environment, exploitation increases scope and breach notification risk
