{ "id": "1f6e2c5d-8bbf-446c-893a-8c1d85e3a883", "created_at": "2026-04-06T01:30:18.415229Z", "updated_at": "2026-04-10T13:12:18.219013Z", "deleted_at": null, "sha1_hash": "1bbb605a21d46903c7c3df11a096379e683e48b9", "title": "Remediation Steps for the Microsoft Exchange Server Vulnerabilities", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52572, "plain_text": "Remediation Steps for the Microsoft Exchange Server\r\nVulnerabilities\r\nBy Unit 42\r\nPublished: 2021-03-09 · Archived: 2026-04-06 00:34:06 UTC\r\nBackground\r\nOn March 2, the security community became aware of four critical zero-day Microsoft Exchange Server\r\nvulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065).\r\nThese vulnerabilities let adversaries access Exchange Servers and potentially gain long-term access to victims’\r\nenvironments. While the Microsoft Threat Intelligence Center (MSTIC) attributes the initial campaign with high\r\nconfidence to HAFNIUM, a group they assess to be state-sponsored and operating out of China, multiple threat\r\nintelligence teams, including MSTIC and Unit 42, are also seeing multiple threat actors now exploiting these zero-day vulnerabilities in the wild. Estimated number of potentially compromised organizations is in the tens of\r\nthousands globally – and very importantly, these vulnerabilities were being actively exploited for at least two\r\nmonths before the security patches were available. As a result, even if you patched immediately, your Exchange\r\nServers could still be compromised. Further, based on telemetry collected from the Palo Alto Networks Expanse\r\nplatform, we estimate there remain over 125,000 unpatched Exchange Servers in the world.\r\nBelow you will find a concise playbook that enterprises can follow to respond to this potential threat in their\r\nenvironments.\r\n2) Patch and secure all Exchange Servers.\r\nInstall the out-of-band security updates for your version of Exchange Server.\r\nIf you cannot update and/or patch an Exchange Server immediately, there are some mitigations and workarounds\r\nthat may reduce the chances of an attacker exploiting an Exchange Server; these mitigations should only be\r\ntemporary until patching can be completed. Palo Alto Networks Next-Generation Firewalls (NGFWs) updated to\r\nThreat Prevention Content Pack 8380 or later protect against these vulnerabilities if SSL decryption is enabled for\r\ninbound traffic to the Exchange Server. Cortex XDR running on your Exchange Server will detect and prevent\r\nwebshell activity commonly used in these attacks.\r\nThe initial attack requires the ability to make an untrusted connection to Exchange Server port 443. You can\r\nprotect against this by restricting access to the system from untrusted users. This can be achieved by only allowing\r\naccess to the system from users who have already authenticated through a VPN, or by using a firewall to limit\r\naccess to specific hosts or IP ranges. Using this mitigation will only protect against the initial portion of the attack.\r\nOther portions of the chain can still be triggered if an attacker already has access to the network or can convince\r\nan administrator to open a malicious file.\r\nhttps://unit42.paloaltonetworks.com/remediation-steps-for-the-Microsoft-Exchange-Server-vulnerabilities/\r\nPage 1 of 3\n\nMore information about using Palo Alto Networks products, including firewalls with security subscriptions,\r\nCortex XSOAR for automation and Cortex XDR for endpoint protection, can be found in our Threat Assessment.\r\n3) Determine whether an Exchange Server has already been compromised.\r\nThese vulnerabilities have been in the wild and actively exploited for over a month, with the earliest indications of\r\nexploitation leading back to Jan. 3. Any organization running the vulnerable software must evaluate if their server\r\nhas been compromised. Patching the system will not remove any malware already deployed on the system. It\r\nwould be prudent to assume Exchange Servers that exposed Outlook Web Access or Exchange Web Services to\r\nthe internet are compromised until proven otherwise.\r\nCheck for suspicious process and system behavior, especially in the context of Internet Information Service (IIS)\r\nand Exchange application processes, such as PowerShell, Command shells (cmd.exe) and other programs\r\nexecuted in the applications’ address space. We describe how to use Palo Alto Networks Cortex XDR Pro endpoint\r\nprotection to hunt for this attack in your environment in “Hunting for the Recent Attacks Targeting Microsoft\r\nExchange.”\r\nMicrosoft has released PowerShell and Nmap scripts for checking your Exchange Server for indicators of\r\ncompromise of these exploits. They have also released another script, available at the same link, that highlights\r\ndifferences in files from the virtual directories of your Exchange Server against those expected for your specific\r\nExchange version. The Cybersecurity and Infrastructure Security Agency (CISA) has also published a list of\r\ntactics, techniques and procedures (TTPs).\r\nAs documented in the Unit 42 Threat Assessment Courses of Action table, the post-intrusion TTPs used by the\r\ninitial actors conducting the Exchange attacks included the following:\r\nUsing Procdump to dump the LSASS process memory.\r\nUsing 7-Zip to compress stolen data into ZIP files for exfiltration.\r\nAdding and using Exchange PowerShell snap-ins to export mailbox data.\r\nUsing the Nishang Invoke-PowerShellTcpOneLine reverse shell.\r\nDownloading PowerCat from GitHub, then using it to open a connection to a remote server.\r\nSince the initial attacks, we believe that other actors are trying to capitalize on the Exchange vulnerabilities, but\r\ntheir motivations and objectives may differ vastly, and so could their TTPs.\r\n4) Engage an Incident Response team if you think you have been compromised.\r\nIf, at any point, you think your Exchange Server has been compromised, you should still take action to secure it\r\nagainst the vulnerabilities as described above. This will prevent additional adversaries from further compromising\r\nthe system. Installing the out-of-band security updates for your version of Exchange Server is very important, but\r\nthis will not remove any malware already installed on systems and will not evict any threat actors present in the\r\nnetwork.\r\nThe potential impact of this situation is critical due to the ongoing activity described, the vulnerabilities exploited\r\nto deliver the attack and the adversaries who could be behind compromises. While exploits of these vulnerabilities\r\nhttps://unit42.paloaltonetworks.com/remediation-steps-for-the-Microsoft-Exchange-Server-vulnerabilities/\r\nPage 2 of 3\n\nmay not halt business operations, access to sensitive information and systems is certainly possible, and should be\r\nassumed to have occurred. Access to corporate emails could also lead to followup phishing attacks.\r\nIf you believe you have been compromised, you should enact your incident response plan. If you need such\r\nservices, our Palo Alto Networks Crypsis incident response team is available to help: crypsis-investigations@paloaltonetworks.com.\r\nAdditional Resources:\r\n1. Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells\r\n2. Threat Assessment: Active Exploitation of Four Zero-Day Vulnerabilities in Microsoft Exchange Server\r\n3. Hunting for the Recent Attacks Targeting Microsoft Exchange\r\n4. HAFNIUM targeting Exchange Servers with 0-day exploits\r\n5. Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange\r\nVulnerabilities\r\n6. Mass Exploitation of Exchange Server Zero-Day CVEs: What You Need to Know\r\n7. Multiple Security Updates Released for Exchange Server\r\nSource: https://unit42.paloaltonetworks.com/remediation-steps-for-the-Microsoft-Exchange-Server-vulnerabilities/\r\nhttps://unit42.paloaltonetworks.com/remediation-steps-for-the-Microsoft-Exchange-Server-vulnerabilities/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/remediation-steps-for-the-Microsoft-Exchange-Server-vulnerabilities/" ], "report_names": [ "remediation-steps-for-the-Microsoft-Exchange-Server-vulnerabilities" ], "threat_actors": [ { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439018, "ts_updated_at": 1775826738, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1bbb605a21d46903c7c3df11a096379e683e48b9.pdf", "text": "https://archive.orkl.eu/1bbb605a21d46903c7c3df11a096379e683e48b9.txt", "img": "https://archive.orkl.eu/1bbb605a21d46903c7c3df11a096379e683e48b9.jpg" } }