Microsoft disclosed a zero-day vulnerability (CVE-2026-42897) in Exchange Outlook Web Access (OWA) that is actively being exploited and stems from a cross-site scripting (XSS) flaw allowing attackers to compromise mailboxes and execute spoofing attacks. While no patch is yet available, Microsoft recommends enabling the Exchange Emergency Mitigation Service or applying an updated mitigation tool to reduce risk until a security update is released.
https://www.darkreading.com/vulnerabilities-threats/microsoft-exchange-zero-day-no-patch
