Cyber Incident Victim: Rackspace Technology
Date:
Dec 2022
Location:
United States of America
Summary
A threat actor known as PLAY exploited a previously unknown vulnerability (CVE-2022-41080) to compromise Rackspace's Hosted Exchange email environment, accessing Personal Storage Tables of 27 customers out of nearly 30,000. Forensic analysis confirmed no evidence of data exfiltration or misuse by the attacker. The financially motivated incident exclusively affected the Hosted Exchange service, which was subsequently discontinued in favor of migrating customers to Microsoft 365 without cost increases for equivalent plans. Extensive data recovery efforts restored pre-incident historical email data for over half of impacted customers, though fewer than 5% downloaded their available mailboxes. No other products or platforms were affected, and security monitoring confirmed no lateral movement beyond the targeted environment.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 2, 2022, Rackspace detected suspicious activity within its Hosted Exchange email environment, prompting immediate containment measures that included taking all affected servers offline. The company engaged CrowdStrike and other cybersecurity experts to investigate the incident, which was later attributed to the financially motivated threat actor known as PLAY. Forensic analysis revealed the attackers exploited CVE-2022-41080, a previously unknown zero-day vulnerability that Microsoft had initially classified only as a privilege escalation flaw, not recognizing its potential for remote code execution. This exploit enabled unauthorized access to the environment, though investigators confirmed the attack was confined to Hosted Exchange systems with no lateral movement to other Rackspace products or platforms. Of approximately 30,000 Hosted Exchange customers, the threat actor accessed Personal Storage Table (PST) files belonging to 27 customers, though CrowdStrike found no evidence that emails or data within these PSTs were viewed, copied, or misused. Rackspace maintained continuous monitoring through CrowdStrike's Falcon endpoint detection tool, confirming no attacker activity in the environment after December 2.
Rackspace initiated a multi-phase data recovery process involving isolated server restoration, manual malware removal, and implementation of enhanced security controls before transferring historical email data to customers. Engineers created automated systems to extract and correlate PST files with customer accounts, recovering pre-December 2 email data that was made available for download through a secure portal for 30 days. By January 5, 2023, over half of impacted customers had recovered data available, though fewer than 5% had downloaded their mailboxes. Concurrently, Rackspace accelerated migration of all Hosted Exchange customers to Microsoft 365, offering equivalent capabilities without price increases, while maintaining Rackspace Email as an alternative. The company confirmed the Hosted Exchange service would not be restored due to pre-existing migration plans to Microsoft 365, which offered more modern features. Forensic investigation concluded with no further updates to the status page, though support teams continued assisting with data recovery and migration. Data recovery efforts prioritized pre-incident email archives, excluding public folders and any emails forwarded or received after December 2, which remained accessible only through migrated accounts or third-party archives.