Microsoft has urged Azure users to update their systems following the discovery of a major new attack campaign targeting popular email server software.

The worm, which Infosecurity reported on last week, targets mail transfer agent product Exim running on Linux-based email servers. It’s claimed that Exim is running on over half (57%) of the world’s email servers, with as many as 3.5 million vulnerable to the new attack.

In a security update on Friday, Microsoft confirmed that the attack imperils servers running Exim version 4.87 to 4.91. It said that although Azure has “controls” in place to prevent the spread of the worm, customers could still be vulnerable to infection and should update their systems as soon as possible.

“Customers using Azure virtual machines (VMs) are responsible for updating the operating systems running on their VMs. As this vulnerability is being actively exploited by worm activity, MSRC urges customers to observe Azure security best practices and patterns and to patch or restrict network access to VMs running the affected versions of Exim,” Microsoft explained.

“There is a partial mitigation for affected systems that can filter or block network traffic via?Network Security Groups (NSGs). The affected systems can mitigate Internet-based ‘wormable’?malware or advanced malware threats that could exploit the vulnerability. However, affected systems are still vulnerable to Remote Code Execution?(RCE)?exploitation if the attacker’s IP Address is permitted through Network Security Groups?”

Two waves of attack have been spotted in the wild, downloading a cryptocurrency mining payload to monetize the threat. The more sophisticated of the two uses Tor services and creates “deceiving windows icon files” to throw security teams off the scent.

As well as downloading the payload, the malware searches for additional vulnerable servers on the internet, connects to them, and infects them with the initial script, according to Cybereason.