The active exploitation of CVE-2026-42897 in Microsoft Exchange Server through a crafted email that triggers cross-site scripting in Outlook Web Access reveals a familiar pattern: threat actors continue to target legacy on-premise deployments long after cloud alternatives became available. While the original advisory correctly flags the spoofing risk and provides the Exchange Emergency Mitigation Service as a stopgap, it understates how this vulnerability fits into a broader campaign against air-gapped or compliance-bound environments. Historical parallels include the 2021 ProxyLogon and ProxyShell chains used by Chinese state-linked groups such as Hafnium to compromise U.S. government agencies and defense contractors; those incidents demonstrated that even unpatched Exchange instances serve as reliable beachheads for credential harvesting and lateral movement. The current flaw's requirement for user interaction in OWA does not diminish its utility—spear-phishing remains a low-cost entry vector against organizations that retain on-premise servers for regulatory or sovereignty reasons. Microsoft’s note that Exchange Online is unaffected highlights the widening gap between cloud tenants and the substantial installed base of Exchange 2016, 2019, and Subscription Edition still running in critical infrastructure. The absence of attribution details in the disclosure is unsurprising given the early stage, yet the technical profile aligns with prior nation-state tradecraft rather than commodity crimeware. Organizations applying only the URL-rewrite mitigation should treat it as temporary; without accelerated migration or hardened segmentation, similar zero-days will continue to surface against these high-value targets.