Microsoft has warned that "multiple actors" are attacking its clients' email servers following a global hacking campaign which it last week attributed to a China-based state-sponsored group.
Researchers fear the tools used by the initial state-sponsored attackers to access Microsoft Exchange servers could now be exploited by criminals, with calls growing for President Biden to urgently raise the issue with Beijing.
The Chinese state-sponsored campaign is believed to have indiscriminately compromised tens of thousands of on-premise email servers worldwide with an intention to subsequently target specific victims.
Last week government security authorities amplified Microsoft's urgent call for customers running on-premise Exchange servers to apply the patch, and the company is now warning that there are multiple groups taking advantage of unpatched systems.
Microsoft initially warned that the state-sponsored group "primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks, and NGOs".
After compromising email servers belonging to these organisations, Microsoft said the attackers created web shells - interfaces which allow them to remotely access the compromised network even after the original vulnerabilities were patched - which is provoking additional concern.
Because the campaign was so broad, not all of the compromised servers are operated by organisations that would typically be of interest to cyber spies
But experts are concerned that if criminals were to piggyback on those spies' access then they could cause significant collateral damage.
Dmitri Alperovitch, the co-founder and former chief technology officer of cyber security firm Crowdstrike, warned that financially-motivated criminals could access these webshells and potentially deploy ransomware.
"Because this campaign is still ongoing - Chinese have webshells on tens of thousands of networks - the response must demand immediate shutdown of those implants to limit damage, not just signal our displeasure with the fact that it had occurred. Needs to happen now," he added.
The UK's National Cyber Security Centre said it is working to establish the extent of the campaign's impact on the country.
One cyber security professional told Sky News their business had seen a number of clients in the UK compromised by the campaign, many of whom they would not have expected to be a typical target for Beijing, suggesting the attackers would have a subsequent triage stage to select specific victims.
The Washington Post reported that the "indiscriminate nature" of the campaign has caused concern among officials, and that the Biden administration was moving to address the incident - although no actions have yet been announced.