A threat actor with affiliations to China has been linked to a "multi-wave intrusion" targeting an unnamed Azerbaijani oil and gas company between late December 2025 and late February 2026, marking an expansion of its targeting.
"With the threat to Exchange servers remaining persistent, enforcing a prevention posture and adhering to these best practices is crucial for safeguarding our critical communication systems," Andersen said. "This guidance empowers organizations to proactively mitigate threats, protect enterprise assets, and ensure the resilience of their operations." Anderson added that CISA recommends organizations also "evaluate the use of cloud-based email services" rather than "managing the complexities" of hosting their own.