SERVER-MAIL -- Snort has detected traffic exploiting vulnerabilities in mail servers (such as Exchange, Courrier). These are different from protocol traffic, as this deals with the traffic going to the mail server itself.
SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt
This rule looks for a Clixml object containing the malicious type System.Windows.Markup.XamlReader[][].
This rule alerts on an attempt to execute code on a Microsoft Exchange server using a type confusion bypass.
No public information
No known false positives
Cisco Talos Intelligence Group
MITRE::ATT&CK Framework::Enterprise::Execution::User Execution::Malicious File
MITRE::ATT&CK Framework::Enterprise::Privilege Escalation::Exploitation for Privilege Escalation
Rule Categories::Server::Mail
None
No information provided
None