CERT-EUUPDATE: New Microsoft Exchange Zero-Day Vulnerabilities (CERT-EU Security Advisory 2022-068)
On September 28, 2022, the security researchers at Vietnamese cybersecurity vendor GTSC published a blog post claiming they have discovered an attack campaign which utilised two zero-day bugs in Microsoft Exchange that could allow an attacker a remote code execution. The attackers are chaining the pair of zero-days to deploy web shells, notably China Choppers, on compromised servers for persistence and data theft, as well as move laterally to other systems on the victims' networks.
Microsoft had identified the vulnerabilities as CVE-2022-41040, a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker.
CrowdStrike recently discovered a new exploit method (called OWASSRF) consisting of CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE) through Outlook Web Access (OWA).
https://www.cert.europa.eu/static/SecurityAdvisories/2022/CERT-EU-SA2022-068.pdf
g0h4n 
Swissky 
Lars Karlslund