What Happened
Microsoft disclosed and confirmed active in-the-wild exploitation of CVE-2026-42897, a cross-site scripting vulnerability in Outlook Web Access (OWA) on on-premises Exchange Server. The flaw carries a CVSS score of 8.1 and affects Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE). Exchange Online is not affected.
The attack chain is straightforward: an attacker sends a crafted email to a target. If the recipient opens the message in OWA, the embedded malicious JavaScript executes in the browser context of the authenticated session. From there, an attacker gains access to the OWA session — including the ability to read email, send messages as the victim, and access any resources the user’s session permits. No clicks beyond opening the message are required. Microsoft credited an anonymous researcher with the discovery.
Microsoft has released a mitigation — a configuration change that restricts how OWA renders certain message content. However, applying the mitigation comes with trade-offs: OWA calendar printing functionality stops working and inline images in the recipient’s reading pane no longer display correctly. A full patch has not yet been released as of May 15, 2026. According to reporting from The Hacker News and Help Net Security, exploitation was observed prior to the public advisory.
Why This Matters for Canadian Organizations
On-premises Exchange Server remains common across Canadian government, education, healthcare, legal, and financial services organizations — particularly those that have not migrated to Exchange Online due to data residency requirements, compliance mandates, or legacy integration dependencies. For these environments, this is a high-priority incident.
The attack’s simplicity — send an email, wait for the target to open it in OWA, gain session access — makes it operationally attractive for targeted espionage campaigns and credential-harvesting operations. Canadian government departments using on-premises Exchange for handling sensitive or protected information face a meaningful risk window until a full patch is available. This is also directly relevant under PIPEDA: if session hijacking leads to unauthorized access to personal information held in email, it triggers breach assessment obligations.
Threat actors targeting Canadian organizations through email-based initial access, including the nation-state and financially motivated groups documented in CCCS advisories, have consistently exploited Exchange vulnerabilities. CVE-2026-42897 fits the profile of a low-friction, high-value entry point that adversaries move to weaponize quickly after a Microsoft advisory confirms exploitation.
What to Do
Apply Microsoft’s published mitigation immediately if your organization runs on-premises Exchange Server 2016, 2019, or SE. Accept the functional trade-offs — broken calendar printing and missing inline images — as a worthwhile exchange for eliminating the attack vector. Monitor Microsoft’s Exchange blog and security update guide for a full patch release. Until the patch arrives, increase monitoring of OWA authentication logs for anomalous session activity: logins from unexpected IP addresses, rapid access to multiple mailboxes, or unusual message-send activity shortly after email opens. If your organization runs Exchange Online exclusively, no action is required for this vulnerability. Consider this event as additional evidence that on-premises Exchange migration planning deserves renewed priority.
