exchange-attack

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt repeatedly shows and instructs embedding plaintext credentials and passwords directly into commands and scripts (e.g., -Password 'Pass123', curl/ntlm auth, webshell usage) and guides using obtained secrets verbatim, which requires the LLM to handle and output secret values.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is a clear malicious playbook: it provides step-by-step guidance to exploit Exchange (ProxyLogon/ProxyShell/ProxyNotShell), perform OWA password-spraying and NTLM information harvesting/relay, deploy webshell backdoors and RCE, extract mailboxes/GAL and credentials (mimikatz/DCSync), and remove traces—all behaviors indicative of intentional compromise, data exfiltration, credential theft, privilege escalation, and persistence.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs fetching and interpreting responses from arbitrary external Exchange endpoints (e.g., curl -sk https://TARGET/owa and /autodiscover) — untrusted, user-controlled third‑party content that directly influences exploit decisions and next actions.