Recommended audience for this post: Exchange Administrators, System Administrators, IT Managers, and CIOs.


Microsoft has detected multiple 0-day exploits being used by the cybercriminal group HAFNIUM to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. It is critical that Exchange Server (on-premise) customers keep their Microsoft environment up-to-date with the most recent patch releases.

  • Affected systems: Microsoft Exchange Server 2013, 2016 and 2019 on-premises. (NB: Exchange Online is NOT affected)
  • Affected countries: United States (may spread to the rest of the world)
  • Affected industries: Infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks, and NGOs.

How can I check if my Microsoft Exchange Server been compromised?

The Exchange Server team has created a script to run a check for HAFNIUM IOCs to address performance and memory concerns. That script is available here:

How does the exploit work?

In the attacks observed, the threat actor used these vulnerabilities to access on-premise Exchange servers which enabled access to email accounts and allowed the installation of additional malware to facilitate long-term access to victim environments.

After exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise. One example of a web shell deployed by HAFNIUM, written in ASP.

Example of script ran by threat actors on a vulnerable Microsoft Exchange Server 2013/2016/2019

The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in the Microsoft Security Response Center (MSRC) release – Multiple Security Updates Released for Exchange Server. We strongly urge customers to update on-premises systems immediately. Exchange Online is not affected.

We are sharing this information with our customers and the security community to emphasise the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem.

We strongly urge customers to update on-premises systems immediately. Exchange Online is not affected.

What can I do NOW to protect my Exchange environment from the exploit?

  • SLA Clients of AVeS Cyber Security: The A-Team would have installed the KB5000871 update to protect your Exchange environment. You can get a report of Exchange Server Version and Update statistics to verify if the update has been done yet.
  • Non-SLA Clients: Check the current Exchange Server Version and Update statistics. Install KB5000871 to protect the Exchange environment, or contact us to assist you.

What else can I do to protect my Exchange environment in the future?

Install all the latest security updates from Microsoft to all Windows servers. Ensure that regular patch cycles run successfully.

Do you like this article? Sign up to receive updates of new articles like these straight in your email inbox >>

Pin It on Pinterest

Share This