www.microsoft.com
Open in
urlscan Pro
2a02:26f0:dc:18a::356e
Public Scan
Submitted URL: https://www.microsoft.com/security/blog/?p=92999
Effective URL: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
Submission: On October 05 via api from US — Scanned from DE
Effective URL: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
Submission: On October 05 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
Name: searchForm — GET https://www.microsoft.com/en-us/security/site-search
<form class="c-search" autocomplete="off" id="searchForm" name="searchForm" role="search" action="https://www.microsoft.com/en-us/security/site-search" method="GET" data-seautosuggest=""
data-seautosuggestapi="https://www.microsoft.com/msstoreapiprod/api/autosuggest"
data-m="{"cN":"GlobalNav_Search_cont","cT":"Container","id":"c3c1c9c3c1m1r1a1","sN":3,"aN":"c1c9c3c1m1r1a1"}" aria-expanded="false"
style="overflow-x: visible;">
<div class="x-screen-reader" aria-live="assertive"></div>
<input id="cli_shellHeaderSearchInput" aria-label="Search Expanded" aria-autocomplete="list" aria-expanded="false" aria-controls="universal-header-search-auto-suggest-transparent" aria-owns="universal-header-search-auto-suggest-ul" type="search"
name="q" role="combobox" placeholder="Search Microsoft Security" data-m="{"cN":"SearchBox_nav","id":"n1c3c1c9c3c1m1r1a1","sN":1,"aN":"c3c1c9c3c1m1r1a1"}" data-toggle="tooltip"
data-placement="right" title="Search Microsoft Security" style="overflow-x: visible;">
<button id="search" aria-label="Search Microsoft Security" class="c-glyph" data-m="{"cN":"Search_nav","id":"n2c3c1c9c3c1m1r1a1","sN":2,"aN":"c3c1c9c3c1m1r1a1"}"
data-bi-mto="true" aria-expanded="false" style="overflow-x: visible;">
<span role="presentation" style="overflow-x: visible;">Search</span>
<span role="tooltip" class="c-uhf-tooltip c-uhf-search-tooltip" style="overflow-x: visible;">Search Microsoft Security</span>
</button>
<div class="m-auto-suggest" id="universal-header-search-auto-suggest-transparent" role="group" style="overflow-x: visible;">
<ul class="c-menu" id="universal-header-search-auto-suggest-ul" aria-label="Search Suggestions" aria-hidden="true" data-bi-dnt="true" data-bi-mto="true" data-js-auto-suggest-position="default" role="listbox" data-tel="jsll"
data-m="{"cN":"search suggestions_cont","cT":"Container","id":"c3c3c1c9c3c1m1r1a1","sN":3,"aN":"c3c1c9c3c1m1r1a1"}" style="overflow-x: visible;"></ul>
</div>
</form>Text Content
We use optional cookies to improve your experience on our websites, such as
through social media connections, and to display personalized advertising based
on your online activity. If you reject optional cookies, only cookies necessary
to provide you the services will be used. You may change your selection by
clicking “Manage Cookies” at the bottom of the page. Privacy Statement
Third-Party Cookies
Accept Reject Manage cookies
Skip to main content
Microsoft Edge is the only browser optimized for Windows. Maximize your PC
performance with features like Sleeping Tabs and Startup Boost.
Close Switch now
Skip to main content
Microsoft
Microsoft Security
Microsoft Security
Microsoft Security
* Home
* Solutions
* Cloud security
* Frontline workers
* Identity & access
* Industrial & critical infrastructure
* Information protection & governance
* IoT security
* Passwordless authentication
* Phishing
* Ransomware
* Risk management
* Secure remote work
* SIEM & XDR
* Small & medium business
* Zero Trust
* Products
* Product families Product families
* Microsoft Defender
* Microsoft Entra
* Microsoft Priva
* Microsoft Purview
* Identity & access Identity & access
* Azure Active Directory part of Microsoft Entra
* Microsoft Entra Permissions Management
* Microsoft Entra Verified ID
* Azure Key Vault
* SIEM & XDR SIEM & XDR
* Microsoft Sentinel
* Microsoft Defender for Cloud
* Microsoft 365 Defender
* Microsoft Defender for Endpoint
* Microsoft Defender for Office 365
* Microsoft Defender for Identity
* Microsoft Defender for Cloud Apps
* Microsoft Defender Vulnerability Management
* Microsoft Defender Threat Intelligence
* Cloud security Cloud security
* Microsoft Defender for Cloud
* Microsoft Defender External Attack Surface Management
* Azure Firewall
* Azure Web App Firewall
* Azure DDoS Protection
* GitHub Advanced Security
* Endpoint security Endpoint security
* Microsoft 365 Defender
* Microsoft Defender for Endpoint
* Microsoft Defender for IoT
* Microsoft Defender for Business
* Microsoft Defender Vulnerability Management
* Risk management & privacy Risk management & privacy
* Microsoft Purview Insider Risk Management
* Microsoft Purview Communication Compliance
* Microsoft Purview eDiscovery
* Microsoft Purview Compliance Manager
* Microsoft Purview Audit
* Microsoft Priva Risk Management
* Microsoft Priva Subject Rights Requests
* Information protection Information protection
* Microsoft Purview Information Protection
* Microsoft Purview Data Lifecycle Management
* Microsoft Purview Data Loss Prevention
* Device management Device management
* Microsoft Endpoint Manager
* Services
* Microsoft Security Experts
* Microsoft Defender Experts for Hunting
* Microsoft Security Services for Enterprise
* Microsoft Security Services for Incident Response
* Microsoft Security Services for Modernization
* Partners
* Resources
* Get started Get started
* Customer stories
* Security 101
* Product trials
* How we protect Microsoft
* Reports and analysis Reports and analysis
* Industry recognition
* Microsoft Security Insider
* Microsoft Digital Defense Report
* Security Response Center
* Community Community
* Microsoft Security Blog
* Microsoft Security Events
* Microsoft Tech Community
* Documentation and training Documentation and training
* Documentation
* Technical Content Library
* Training & certifications
* Additional sites Additional sites
* Compliance Program for Microsoft Cloud
* Microsoft Trust Center
* Security Engineering Portal
* Service Trust Portal
* Contact sales
* More
* Start free trial
* All Microsoft
* * Microsoft Security
* Azure
* Dynamics 365
* Microsoft 365
* Microsoft Teams
* Windows 365
* Tech & innovation Tech & innovation
* Microsoft Cloud
* AI
* Azure Space
* Mixed reality
* Microsoft HoloLens
* Microsoft Viva
* Quantum computing
* Sustainability
* Industries Industries
* Education
* Automotive
* Financial services
* Government
* Healthcare
* Manufacturing
* Retail
* All industries
* Partners Partners
* Find a partner
* Become a partner
* Partner Network
* Find an advertising partner
* Become an advertising partner
* Azure Marketplace
* AppSource
* Resources Resources
* Blog
* Microsoft Advertising
* Developer Center
* Documentation
* Events
* Licensing
* Microsoft Learn
* Microsoft Research
* View Sitemap
Search Search Microsoft Security
Cancel
March 2, 2021 • 9 min read
HAFNIUM TARGETING EXCHANGE SERVERS WITH 0-DAY EXPLOITS
* Microsoft Threat Intelligence Center (MSTIC)
* Microsoft Defender Threat Intelligence
* Microsoft 365 Security
Share
* Twitter
* LinkedIn
* Facebook
* Email
* Print
Update [03/16/2021]: Microsoft released updated tools and investigation guidance
to help IT Pros and incident response teams identify, remediate, defend against
associated attacks: Guidance for responders: Investigating and remediating
on-premises Exchange Server vulnerabilities.
Update [03/15/2021]: Microsoft released a new one-click mitigation tool, the
Microsoft Exchange On-Premises Mitigation Tool, to help customers who do not
have dedicated security or IT teams to apply security updates for Microsoft
Exchange Server.
Update [03/08/2021]: Microsoft continues to see multiple actors taking advantage
of unpatched systems to attack organizations with on-premises Exchange Server.
To aid defenders in investigating these attacks where Microsoft security
products and tooling may not be deployed, we are releasing a feed of observed
indicators of compromise (IOCs). The feed of malware hashes and known malicious
file paths observed in related attacks is available in both JSON and CSV formats
at the below GitHub links. This information is being shared as TLP:WHITE: CSV
format | JSON format
Update [03/05/2021]: Microsoft sees increased use of these vulnerabilities in
attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM.
To aid customers in investigating these attacks, Microsoft Security Response
Center (MSRC) has provided additional resources, including new mitigation
guidance: Microsoft Exchange Server Vulnerabilities Mitigations – March 2021
Update [03/04/2021]: The Exchange Server team released a script for checking
HAFNIUM indicators of compromise (IOCs). See Scan Exchange log files for
indicators of compromise.
Microsoft has detected multiple 0-day exploits being used to attack on-premises
versions of Microsoft Exchange Server in limited and targeted attacks. In the
attacks observed, the threat actor used these vulnerabilities to access
on-premises Exchange servers which enabled access to email accounts, and allowed
installation of additional malware to facilitate long-term access to victim
environments. Microsoft Threat Intelligence Center (MSTIC) attributes this
campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored
and operating out of China, based on observed victimology, tactics and
procedures.
The vulnerabilities recently being exploited were CVE-2021-26855,
CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed
in today’s Microsoft Security Response Center (MSRC) release – Multiple Security
Updates Released for Exchange Server. We strongly urge customers to update
on-premises systems immediately. Exchange Online is not affected. We have
established a resource center that is constantly updated as more information
becomes available at https://aka.ms/ExchangeVulns.
We are sharing this information with our customers and the security community to
emphasize the critical nature of these vulnerabilities and the importance of
patching all affected systems immediately to protect against these exploits and
prevent future abuse across the ecosystem. This blog also continues our mission
to shine a light on malicious actors and elevate awareness of the sophisticated
tactics and techniques used to target our customers. The related IOCs, Azure
Sentinel advanced hunting queries, and Microsoft Defender for Endpoint product
detections and queries shared in this blog will help SOCs proactively hunt for
related activity in their environments and elevate any alerts for remediation.
Microsoft would like to thank our industry colleagues at Volexity and Dubex for
reporting different parts of the attack chain and their collaboration in the
investigation. Volexity has also published a blog post with their analysis. It
is this level of proactive communication and intelligence sharing that allows
the community to come together to get ahead of attacks before they spread and
improve security for all.
WHO IS HAFNIUM?
HAFNIUM primarily targets entities in the United States across a number of
industry sectors, including infectious disease researchers, law firms, higher
education institutions, defense contractors, policy think tanks, and NGOs.
HAFNIUM has previously compromised victims by exploiting vulnerabilities in
internet-facing servers, and has used legitimate open-source frameworks, like
Covenant, for command and control. Once they’ve gained access to a victim
network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.
In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM
interacting with victim Office 365 tenants. While they are often unsuccessful in
compromising customer accounts, this reconnaissance activity helps the adversary
identify more details about their targets’ environments.
HAFNIUM operates primarily from leased virtual private servers (VPS) in the
United States.
TECHNICAL DETAILS
Microsoft is providing the following details to help our customers understand
the techniques used by HAFNIUM to exploit these vulnerabilities and enable more
effective defense against any future attacks against unpatched systems.
CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange
which allowed the attacker to send arbitrary HTTP requests and authenticate as
the Exchange server.
CVE-2021-26857 is an insecure deserialization vulnerability in the Unified
Messaging service. Insecure deserialization is where untrusted user-controllable
data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM
the ability to run code as SYSTEM on the Exchange server. This requires
administrator permission or another vulnerability to exploit.
CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in
Exchange. If HAFNIUM could authenticate with the Exchange server then they could
use this vulnerability to write a file to any path on the server. They could
authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by
compromising a legitimate admin’s credentials.
CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in
Exchange. If HAFNIUM could authenticate with the Exchange server then they could
use this vulnerability to write a file to any path on the server. They could
authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by
compromising a legitimate admin’s credentials.
ATTACK DETAILS
After exploiting these vulnerabilities to gain initial access, HAFNIUM operators
deployed web shells on the compromised server. Web shells potentially allow
attackers to steal data and perform additional malicious actions that lead to
further compromise. One example of a web shell deployed by HAFNIUM, written in
ASP, is below:
Following web shell deployment, HAFNIUM operators performed the following
post-exploitation activity:
* Using Procdump to dump the LSASS process memory:
* Using 7-Zip to compress stolen data into ZIP files for exfiltration:
* Adding and using Exchange PowerShell snap-ins to export mailbox data:
* Using the Nishang Invoke-PowerShellTcpOneLine reverse shell:
* Downloading PowerCat from GitHub, then using it to open a connection to a
remote server:
HAFNIUM operators were also able to download the Exchange offline address book
from compromised systems, which contains information about an organization and
its users.
Our blog, Defending Exchange servers under attack, offers advice for improving
defenses against Exchange server compromise. Customers can also find additional
guidance about web shell attacks in our blog Web shell attacks continue to rise.
CAN I DETERMINE IF I HAVE BEEN COMPROMISED BY THIS ACTIVITY?
The below sections provide indicators of compromise (IOCs), detection guidance,
and advanced hunting queries to help customers investigate this activity using
Exchange server logs, Azure Sentinel, Microsoft Defender for Endpoint, and
Microsoft 365 Defender. We encourage our customers to conduct investigations and
implement proactive detections to identify possible prior campaigns and prevent
future campaigns that may target their systems.
CHECK PATCH LEVELS OF EXCHANGE SERVER
The Microsoft Exchange Server team has published a blog post on these new
Security Updates providing a script to get a quick inventory of the patch-level
status of on-premises Exchange servers and answer some basic questions around
installation of these patches.
SCAN EXCHANGE LOG FILES FOR INDICATORS OF COMPROMISE
The Exchange Server team has created a script to run a check for HAFNIUM IOCs to
address performance and memory concerns. That script is available here:
https://github.com/microsoft/CSS-Exchange/tree/main/Security.
* CVE-2021-26855 exploitation can be detected via the following Exchange
HttpProxy logs:
* These logs are located in the following directory:
%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\HttpProxy
* Exploitation can be identified by searching for log entries where the
AuthenticatedUser is empty and the AnchorMailbox contains the pattern of
ServerInfo~*/*
* Here is an example PowerShell command to find these log entries:
Import-Csv -Path (Get-ChildItem -Recurse -Path
"$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy" -Filter
'*.log').FullName | Where-Object { $_.AnchorMailbox -like 'ServerInfo~*/*' -or
$_.BackEndCookie -like 'Server~*/*~*'} | select DateTime, AnchorMailbox,
UrlStem, RoutingHint, ErrorCode, TargetServerVersion, BackEndCookie,
GenericInfo, GenericErrors, UrlHost, Protocol, Method, RoutingType,
AuthenticationType, ServerHostName, HttpStatus, BackEndStatus, UserAgent
* * If activity is detected, the logs specific to the application specified in
the AnchorMailbox path can be used to help determine what actions were
taken.
* These logs are located in the %PROGRAMFILES%\Microsoft\Exchange
Server\V15\Logging directory.
* CVE-2021-26858 exploitation can be detected via the Exchange log files:
* C:\Program Files\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog
* Files should only be downloaded to the %PROGRAMFILES%\Microsoft\Exchange
Server\V15\ClientAccess\OAB\Temp directory
* In case of exploitation, files are downloaded to other directories (UNC
or local paths)
* Windows command to search for potential exploitation:
findstr /snip /c:"Download failed and temporary file"
"%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog\*.log"
* CVE-2021-26857 exploitation can be detected via the Windows Application event
logs
* Exploitation of this deserialization bug will create Application events
with the following properties:
* Source: MSExchange Unified Messaging
* EntryType: Error
* Event Message Contains: System.InvalidCastException
* Following is PowerShell command to query the Application Event Log for
these log entries:
Get-EventLog -LogName Application -Source "MSExchange Unified Messaging"
-EntryType Error | Where-Object { $_.Message -like
"*System.InvalidCastException*" }
* CVE-2021-27065 exploitation can be detected via the following Exchange log
files:
* C:\Program Files\Microsoft\Exchange Server\V15\Logging\ECP\Server
All Set-<AppName>VirtualDirectory properties should never contain script.
InternalUrl and ExternalUrl should only be valid Uris.
* * Following is a PowerShell command to search for potential exploitation:
Select-String -Path "$env:PROGRAMFILES\Microsoft\Exchange
Server\V15\Logging\ECP\Server\*.log" -Pattern 'Set-.+VirtualDirectory'
HOST IOCS
Microsoft is releasing a feed of observed indicators of compromise (IOCs) in
related attacks. This feed is available in both CSV and JSON formats. This
information is being shared as TLP:WHITE.
HASHES
Web shell hashes
* b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
* 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
* 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
* 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
* 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
* 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
* 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
* 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944
PATHS
We observed web shells in the following paths:
* C:\inetpub\wwwroot\aspnet_client\
* C:\inetpub\wwwroot\aspnet_client\system_web\
* In Microsoft Exchange Server installation paths such as:
* %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
* C:\Exchange\FrontEnd\HttpProxy\owa\auth\
The web shells we detected had the following file names:
* web.aspx
* help.aspx
* document.aspx
* errorEE.aspx
* errorEEE.aspx
* errorEW.aspx
* errorFF.aspx
* healthcheck.aspx
* aspnet_www.aspx
* aspnet_client.aspx
* xx.aspx
* shell.aspx
* aspnet_iisstart.aspx
* one.aspx
Check for suspicious .zip, .rar, and .7z files in C:\ProgramData\, which may
indicate possible data exfiltration.
Customers should monitor these paths for LSASS dumps:
* C:\windows\temp\
* C:\root\
TOOLS
* Procdump
* Nishang
* PowerCat
Many of the following detections are for post-breach techniques used by HAFNIUM.
So while these help detect some of the specific current attacks that Microsoft
has observed it remains very important to apply the recently released updates
for CVE-2021-26855, CVE-2021-26857, CVE-2021-27065 and CVE-2021-26858.
MICROSOFT DEFENDER ANTIVIRUS DETECTIONS
Please note that some of these detections are generic detections and not unique
to this campaign or these exploits.
* Exploit:Script/Exmann.A!dha
* Behavior:Win32/Exmann.A
* Backdoor:ASP/SecChecker.A
* Backdoor:JS/Webshell (not unique)
* Trojan:JS/Chopper!dha (not unique)
* Behavior:Win32/DumpLsass.A!attk (not unique)
* Backdoor:HTML/TwoFaceVar.B (not unique)
MICROSOFT DEFENDER FOR ENDPOINT DETECTIONS
* Suspicious Exchange UM process creation
* Suspicious Exchange UM file creation
* Possible web shell installation (not unique)
* Process memory dump (not unique)
AZURE SENTINEL DETECTIONS
* HAFNIUM Suspicious Exchange Request
* HAFNIUM UM Service writing suspicious file
* HAFNIUM New UM Service Child Process
* HAFNIUM Suspicious UM Service Errors
* HAFNIUM Suspicious File Downloads
ADVANCED HUNTING QUERIES
To locate possible exploitation activity related to the contents of this blog,
you can run the following advanced hunting queries via Microsoft Defender for
Endpoint and Azure Sentinel:
MICROSOFT DEFENDER FOR ENDPOINT ADVANCED HUNTING QUERIES
Microsoft 365 Defender customers can find related hunting queries below or at
this GitHub location:
https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/
Additional queries and information are available via Threat Analytics portal for
Microsoft Defender customers.
UMWorkerProcess.exe in Exchange creating abnormal content
Look for Microsoft Exchange Server’s Unified Messaging service creating
non-standard content on disk, which could indicate web shells or other malicious
content, suggesting exploitation of CVE-2021-26858 vulnerability:
DeviceFileEvents | where InitiatingProcessFileName == "UMWorkerProcess.exe" |
where FileName != "CacheCleanup.bin" | where FileName !endswith ".txt" | where
FileName !endswith ".LOG" | where FileName !endswith ".cfg" | where FileName !=
"cleanup.bin"
UMWorkerProcess.exe spawning
Look for Microsoft Exchange Server’s Unified Messaging service spawning abnormal
subprocesses, suggesting exploitation of CVE-2021-26857 vulnerability:
DeviceProcessEvents | where InitiatingProcessFileName == "UMWorkerProcess.exe" |
where FileName != "wermgr.exe" | where FileName != "WerFault.exe"
Please note excessive spawning of wermgr.exe and WerFault.exe could be an
indicator of compromise due to the service crashing during deserialization.
AZURE SENTINEL ADVANCED HUNTING QUERIES
Azure Sentinel customers can find a Sentinel query containing these indicators
in the Azure Sentinel Portal or at this GitHub location:
https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/.
Look for Nishang Invoke-PowerShellTcpOneLine in Windows Event Logging:
SecurityEvent | where EventID == 4688 | where Process has_any
("powershell.exe", "PowerShell_ISE.exe") | where CommandLine has "$client =
New-Object System.Net.Sockets.TCPClient"
Look for downloads of PowerCat in cmd and Powershell command line logging in
Windows Event Logs:
SecurityEvent | where EventID == 4688 | where Process has_any ("cmd.exe",
"powershell.exe", "PowerShell_ISE.exe") | where CommandLine has
"https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1"
Look for Exchange PowerShell Snapin being loaded. This can be used to export
mailbox data, subsequent command lines should be inspected to verify usage:
SecurityEvent | where EventID == 4688 | where Process has_any ("cmd.exe",
"powershell.exe", "PowerShell_ISE.exe") | where isnotempty(CommandLine) |
where CommandLine contains "Add-PSSnapin Microsoft.Exchange.Powershell.Snapin"
| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by
Computer, Account, CommandLine
FILED UNDER:
* Cybersecurity,
* Security intelligence,
* Threat protection
YOU MAY ALSO LIKE THESE ARTICLES
Featured image for Protecting on-premises Exchange Servers against recent
attacks
March 12, 2021 • 2 min read
PROTECTING ON-PREMISES EXCHANGE SERVERS AGAINST RECENT ATTACKS
For the past few weeks, Microsoft and others in the security industry have seen
an increase in attacks against on-premises Exchange servers. The target of these
attacks is a type of email server most often used by small and medium-sized
businesses, although larger organizations with on-premises Exchange servers have
also been affected. Exchange Online is…
Read more Protecting on-premises Exchange Servers against recent attacks
Featured image for Analyzing attacks taking advantage of the Exchange Server
vulnerabilities
March 25, 2021 • 20 min read
ANALYZING ATTACKS TAKING ADVANTAGE OF THE EXCHANGE SERVER VULNERABILITIES
Microsoft continues to monitor and investigate attacks exploiting the recent
on-premises Exchange Server vulnerabilities. As organizations recover from this
incident, we continue to publish guidance and share threat intelligence to help
detect and evict threat actors from affected environments.
Read more Analyzing attacks taking advantage of the Exchange Server
vulnerabilities
Featured image for Automatic on-premises Exchange Server mitigation now in
Microsoft Defender Antivirus
March 18, 2021 • 2 min read
AUTOMATIC ON-PREMISES EXCHANGE SERVER MITIGATION NOW IN MICROSOFT DEFENDER
ANTIVIRUS
Microsoft Defender Antivirus and System Center Endpoint Protection will
automatically mitigate CVE-2021-26855 on any vulnerable Exchange Server on which
it is deployed. We have taken this additional step to further support our
customers who are still vulnerable and have not yet implemented the complete
security update.
Read more Automatic on-premises Exchange Server mitigation now in Microsoft
Defender Antivirus
GET STARTED WITH MICROSOFT SECURITY
Microsoft is a leader in cybersecurity, and we embrace our responsibility to
make the world a safer place.
Learn more Get started with Microsoft Security
Get all the news, updates, and more at
@MSFTSecurity twitter
What's new
* Surface Laptop Go 2
* Surface Pro 8
* Surface Laptop Studio
* Surface Pro X
* Surface Go 3
* Surface Duo 2
* Surface Pro 7+
* Windows 11 apps
Microsoft Store
* Account profile
* Download Center
* Microsoft Store support
* Returns
* Order tracking
* Virtual workshops and training
* Microsoft Store Promise
* Flexible Payments
Education
* Microsoft in education
* Devices for education
* Microsoft Teams for Education
* Microsoft 365 Education
* Education consultation appointment
* Educator training and development
* Deals for students and parents
* Azure for students
Business
* Microsoft Cloud
* Microsoft Security
* Dynamics 365
* Microsoft 365
* Microsoft Power Platform
* Microsoft Teams
* Microsoft Industry
* Small Business
Developer & IT
* Azure
* Developer Center
* Documentation
* Microsoft Learn
* Microsoft Tech Community
* Azure Marketplace
* AppSource
* Visual Studio
Company
* Careers
* About Microsoft
* Company news
* Privacy at Microsoft
* Investors
* Diversity and inclusion
* Accessibility
* Sustainability
English (United States)
* Sitemap
* Contact Microsoft
* Privacy
* Manage cookies
* Terms of use
* Trademarks
* Safety & eco
* About our ads
* © Microsoft 2022