Running MS Exchange or Hosted Exchange? What you must do now.

Running MS Exchange or Hosted Exchange? What you must do now.

With everything from the European Banking Authority to senior living facilities, utility providers, an ice cream company, law firms, small hotels, and a kitchen appliance manufacturer, this rapidly escalating attack is infiltrating small and midsize businesses across the world.

As security experts are called in to assess the depth of security breaches and eliminate bad actors now inside corporate email systems, the fallout and cost is sure to be massive. Microsoft continues to work to control the breach and urges customers to update as soon as possible, saying “we anticipate that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.”

Businesses running Microsoft Exchange should immediately engage IT teams and

1. Patch all Microsoft Exchange servers
2. Externally validate patches
3. Proactively hunt for web shells and other indicators of compromise
4. Alert employees and clients of the breach  
5. Engage with a trusted IT professional to understand full scope

According to the Washington Post, the Chinese hacking group, which Microsoft calls Hafnium, appears to have been breaking into private and government computer networks through Microsoft’s popular Exchange email software.

First reported on Friday, March 5, the breach was thought to have impacted around 30,000 organizations across the Unites States — including a significant number of small businesses, towns, cities and local governments. By Monday, the Washington Post was reporting at least 60,000 business world-wide had been compromised, causing concern among U.S. national security officials in-part because hackers were able to infect so many victims so quickly. Researchers say in the final phases of the attack, the perpetrators appeared to have automated the process, taking out tens of thousands of new victims in a matter of days.

Microsoft says that hackers used web shells to remotely control compromised servers, allowing the attackers to steal data and take actions that lead to further compromise.

The compromised endpoints do have anti-virus or endpoint detection and response (EDR) tools installed, but Huntress Senior Security Researcher John Hammond explains that hackers have been able to slip past most preventative security products. Huntress has seen honeypots – decoys meant to bait hackers – attacked, making it clear that adversaries are just scanning the internet looking for low-hanging fruit.

The earliest sign of Microsoft Exchange compromise Huntress has observed was on Saturday morning, and the hackers were continuing to drop web shells into the early morning hours Wednesday, Huntress wrote on Reddit Wednesday morning. Huntress said it first learned about the zero-day vulnerabilities Monday afternoon when a technology partner reached out. Microsoft didn’t disclose the hack until Tuesday.

The Microsoft Exchange zero-day vulnerabilities can be leveraged by hackers to gain remote code execution and fully compromise targeted organizations, according to Hammond. At that point, Hammond said the hackers have a foothold in the victim’s network, allowing them to expand their access and do much more damage.

In response, Hammond said IT departments should not only patch immediately but also externally validate the patch and proactively hunt for the presence of web shells and other indicators of compromise. Thus far, Hammond said it doesn’t look like any preventive security products actually block the malicious web shell from getting dropped.

“These attacks are grave due to the fact that every organization simply has to have email, and Microsoft Exchange is so widely used,” Hammond wrote in his blog post. “These servers are typically publicly accessible on the open internet and they can be exploited remotely.”


Portions of this article were originally written by

Michael Novinson and published at CRN at

And by William Turton and Jordan Robertson of Bloomberg and published at The Washington Post at