{
	"id": "f8d03b7e-ed07-4dc5-b22b-c0c84087891c",
	"created_at": "2026-04-06T00:21:53.739769Z",
	"updated_at": "2026-04-10T03:35:48.425504Z",
	"deleted_at": null,
	"sha1_hash": "697f4f0d628697b60e077940d8b13de537afc707",
	"title": "On-Premises Exchange Server Vulnerabilities Resource Center - updated March 25, 2021",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 80513,
	"plain_text": "On-Premises Exchange Server Vulnerabilities Resource Center -\r\nupdated March 25, 2021\r\nBy MSRC Team\r\nPublished: 2021-03-02 · Archived: 2026-04-05 16:09:31 UTC\r\nOn March 2nd, we released several security updates for Microsoft Exchange Server to address vulnerabilities that\r\nare being used in ongoing attacks. Due to the critical nature of these vulnerabilities, we recommend that customers\r\nprotect their organizations by applying the patches immediately to affected systems.\r\nThe vulnerabilities affect Exchange Server versions 2013, 2016, and 2019, while Exchange Server 2010 is also\r\nbeing updated for defense-in-depth purposes. Exchange Online is not affected.\r\nThese vulnerabilities are being exploited as part of an attack chain. The initial attack requires the ability to make\r\nan untrusted connection to the Exchange server, but other portions of the attack can be triggered if the attacker\r\nalready has access or gets access through other means. This means that mitigations such as restricting untrusted\r\nconnections or setting up a VPN will only protect against the initial portion of the attack to change the attack\r\nsurface or partially mitigate, and that patching is the only way to mitigate completely.\r\nSince these patches were released, we have published several articles and blog posts helping customers understand\r\nthese vulnerabilities, and their exploitation patterns, and shared detailed guidance on how the malicious actors are\r\nexploiting these vulnerabilities and targeting customers. We are aware that there is a lot of detail to understand and\r\nare adding this summary of Microsoft’s guidance for security incident responders and Exchange administrators on\r\nwhat steps to take to secure their Exchange environments.\r\nOrganizations should review and digest the entirety of this guidance before taking action, as the specific order of\r\nactions taken to achieve the response objectives is situational and depends on the outcomes of the investigation.\r\nExecutive Summary and Background Information\r\nMicrosoft continues to investigate the extent of the recent Exchange Server on-premises attacks. Our goal is to\r\nprovide the latest threat intelligence, Indicators of Compromise (IOC)s, and guidance across our products and\r\nsolutions to help the community respond, harden infrastructure, and begin to recover from this unprecedented\r\nattack. As new information becomes available, we will make updates to this article at\r\nhttps://aka.ms/ExchangeVulns\r\nMarch 25, 2021 - Analyzing attacks taking advantage of the Exchange Server vulnerabilities\r\nMarch 25, 2021 - Web Shell Threat Hunting with Azure Sentinel\r\nMarch 18, 2021 - Automatic on-premises Exchange Server mitigation now in Microsoft Defender Antivirus\r\nhttps://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server\r\nPage 1 of 5\n\nMarch 16, 2021 - Guidance for responders: Investigating and remediating on-premises Exchange Server\r\nvulnerabilities\r\nMarch 15, 2021 -One-Click Microsoft Exchange On-premises Mitigation Tool\r\nMarch 8, 2021 - March 8 Exchange Team Blog\r\nMarch 5, 2021 - Microsoft Exchange Server Vulnerabilities Mitigations\r\nMarch 2, 2021 - Microsoft Security Blog: Hafnium Targeting Exchange\r\nMarch 2, 2021 - Microsoft on the Issues\r\nMarch 2, 2021 - Exchange Team Blog\r\nCVE-2021-26855\r\nCVE-2021-26857\r\nCVE-2021-26858\r\nCVE-2021-27065\r\nNot related to known attacks\r\nCVE-2021-26412\r\nCVE-2021-26854\r\nCVE-2021-27078\r\nOverview of the Attack and Exploitation\r\nMicrosoft originally followed the adversary group HAFNIUM launching targeted attacks against specific\r\norganizations. Recently other adversary groups have started targeting these vulnerabilities, and we expect that\r\nthese attacks will continue to increase as attackers investigate and automate exploitation of these vulnerabilities.\r\nNot all these footholds are being utilized immediately, and some were likely put in place for future exploitation. A\r\ndetailed overview is available here: HAFNIUM targeting Exchange Servers with 0-day exploits - Microsoft\r\nSecurity\r\nWhile some adversary groups are installing web shells as broadly as possible for future use, some are also\r\nconducting further operations on compromised servers and attempting to move laterally into organizations’\r\nenvironments to establish deeper persistence. This document provides instructions to remediate web shells and\r\ndetermine the initial ingress of an adversary.\r\nOrganizations that have detected or suspect more advanced post exploitation activities, such as credential dumps,\r\nlateral movement, and installation of further malware/ransomware, should consider enlisting the services of\r\ncybersecurity response professionals. Investigating and remediating post-exploitation across an IT environment is\r\nbeyond the scope of this blog, but we want organizations to understand where we recommend they begin their\r\ninvestigations based on the patterns of behavior we’ve seen associated with exploitation of these vulnerabilities.\r\nhttps://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server\r\nPage 2 of 5\n\nRecommended Response Steps\r\nSuccessful response requires being able to communicate without the attacker eavesdropping on your\r\ncommunications. Until you have achieved assurance of the privacy of your communications on your current\r\ninfrastructure, use completely isolated identities and communication resources to coordinate your response and\r\ndiscuss topics that could potentially tip off the attacker to your investigation.\r\nSuccessful response should consist of the following steps:\r\n1. Deploy updates to affected Exchange Servers.\r\n2. Investigate for exploitation or indicators of persistence.\r\n3. Remediate any identified exploitation or persistence and investigate your environment for indicators of\r\nlateral movement or further compromise.\r\nMicrosoft recommends that you update and investigate in parallel, but if you must prioritize one, prioritize\r\nupdating and mitigation of the vulnerability.\r\nIt is imperative that you update or mitigate your affected Exchange deployments immediately. These\r\nvulnerabilities are being actively exploited by multiple adversary groups. For the highest assurance, block access\r\nto vulnerable Exchange servers from untrusted networks until your Exchange servers are patched or mitigated. If\r\nyou have not yet patched, and have not applied the mitigations referenced below, a one-click tool, the Exchange\r\nOn-premises Mitigation Tool is now our recommended path to mitigate until you can patch.\r\nIf you are an experienced IT professional or incident responder, review our Guidance for Responders post for\r\nmore detailed recommendations that will be continually updated when Microsoft has new information about\r\nresponding to these attacks.\r\nDeploy updates to affected Exchange Servers\r\nIf you do not have an inventory of servers in your environments that run Exchange, you can use the nmap script\r\nMicrosoft has provided to scan your networks for vulnerable Exchange deployments. For the Exchange servers in\r\nyour environment, immediately apply updates for the version of Exchange you are running. While these Security\r\nUpdates do not apply to Exchange Online / Office 365, if you are in Hybrid mode you need to apply them to your\r\non-premises Exchange Server, even if it is used for management purposes only. You do not need to re-run (Hybrid\r\nConfiguration Wizard) HCW if you are using it. The high-level summary of our patching guidance is:\r\nExchange Online is not affected.\r\nExchange 2003 and 2007 are no longer supported but are not believed to be affected by the March 2021\r\nvulnerabilities. You must upgrade to a supported version of Exchange to ensure that you are able to secure\r\nyour deployment against vulnerabilities fixed in current versions of Microsoft Exchange and future fixes\r\nfor security issues.\r\nExchange 2010 is only impacted by CVE-2021-26857, which is not the first step in the attack chain.\r\nOrganizations should apply the update and then follow the guidance below to investigate for potential\r\nhttps://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server\r\nPage 3 of 5\n\nexploitation and persistence.\r\nExchange 2013, 2016, and 2019 are impacted. Immediately deploy the updates or apply mitigations\r\ndescribed below. For help identifying which updates you need to get from your current CU version to a\r\nversion with the latest security patches follow this guidance: Released: March 2021 Exchange Server\r\nSecurity Updates - Microsoft Tech Community. You can use the linked Health Checker script here to help\r\nyou identify exactly which CUs are needed for your deployment. Microsoft has also released additional\r\nSecurity Updates for select older Exchange CUs to accelerate their path to patched for these vulnerabilities.\r\nMitigations: If for some reason you cannot update your Exchange servers immediately, we have released\r\ninstructions for how to mitigate these vulnerabilities through reconfiguration. We recognize that applying the latest\r\npatches to Exchange servers may take time and planning, especially if organizations are not on recent versions\r\nand/or associated cumulative and security patches. We recommend prioritizing installing the patches on Exchange\r\nServers that are externally facing first, but all affected Exchange Servers should be updated urgently. The\r\nMitigations suggested are not substitutes for installing the updates and will impact some Exchange\r\nfunctionality while in place. Detailed guidance on applying the alternate mitigations is provided here: Microsoft\r\nExchange Server Vulnerabilities Mitigations – March 2021.\r\nApplying the update or the alternative mitigation techniques will not evict an adversary who has already\r\ncompromised your environment. The remainder of this document shares guidance to help you determine whether\r\nyour Exchange servers were exploited before mitigating the issue and how to remediate some types of attacks.\r\nInvestigate for exploitation, persistence, or evidence of lateral movement\r\nIn addition to protecting your Exchange servers from exploitation, you should assess to ensure that the\r\nvulnerabilities were not exploited before you got them to a protected state.\r\n1. Analyze the Exchange product logs for evidence of exploitation. Microsoft released detailed steps here\r\nincluding scripts to help automate: Scan Exchange log files for indicators of compromise. If you choose to\r\nuse the script provided, you will have an option to scan some or all of your Exchange servers at the same\r\ntime.\r\n2. Scan for known web shells. The Microsoft Defender team has included security intelligence for known\r\nmalware related to these vulnerabilities in the latest version of the Microsoft Safety Scanner. Run this\r\nSafety Scanner on every Exchange server in your environment. If you need assistance, detailed guidance\r\ncan be found here: CSS-Exchange/Defender-MSERT-Guidance.md at main · microsoft/CSS-Exchange ·\r\nGitHub\r\nFor Microsoft Defender and Microsoft Defender for Endpoint customers, please make sure you are on the latest\r\nsecurity intelligence patch: Latest security intelligence patches for Microsoft Defender Antivirus and other\r\nMicrosoft antimalware - Microsoft Security Intelligence\r\n3. Use the Microsoft IOC feed for newly observed indicators. To aid defenders in investigating these\r\nattacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of\r\nobserved indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths\r\nhttps://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server\r\nPage 4 of 5\n\nobserved in related attacks is available in both JSON and CSV formats at the below GitHub links. This\r\ninformation is being shared as TLP:WHITE (free for all to use)\r\n4. Leverage other organizational security capabilities in addition to these tools. The tools above make the\r\nthreat intelligence that Microsoft has been accumulating related to exploitation of these vulnerabilities\r\navailable to all organizations. Your organization may also have its own security controls, and we\r\nrecommend that you increase your vigilance on signals from Exchange servers in your current security\r\ncontrols too.\r\nRemediate any identified exploitation or persistence\r\nIf you find any evidence of exploitation (e.g., in Exchange application logs), ensure you are retaining the logs, and\r\nuse the details such as timestamps and source IPs to drive further investigation.\r\nIf you find known bad files using your endpoint security solution, the Microsoft IOC feed, or the Microsoft Safety\r\nScanner, take the following actions:\r\n1. Remediate and quarantine them for further investigation unless they are expected customizations in your\r\nenvironment.\r\n2. Search your IIS logs to identify whether or not the files identified as malicious have been accessed.\r\n3. Consider submitting suspected malicious files to Microsoft for analysis following this guidance: Submit\r\nfiles for analysis by Microsoft - Windows security | Microsoft Docs and include the string\r\n“ExchangeMarchCVE” in the Additional Information text box of the submission form.\r\nAs part of hunting and scanning, if you find evidence of exploitation of the Unified Messaging RCE (CVE-2021-\r\n26857), you should delete potential uncleaned exploit files in\r\n%ExchangeInstallPath%\\UnifiedMessaging\\voicemail\r\nIf you find any evidence of external access to a suspect file identified above, use this information to drive further\r\ninvestigation on impacted servers and across your environment. Our blog post on the Hafnium attack goes into\r\ndetails for folks who need additional details for IOC’s, File Hashes, etc.: HAFNIUM targeting Exchange Servers\r\nwith 0-day exploits - Microsoft Security\r\nIf any of your security detections or the investigation tools results lead you to suspect that your Exchange servers\r\nhave been compromised and an attacker has actively engaged in your environment, execute your Security Incident\r\nResponse plans, and consider engaging experienced Incident Response assistance. It is particularly critical if you\r\nsuspect that your Exchange environment is compromised by a persistent adversary that you coordinate your\r\nresponse using alternative communications channels as mentioned earlier in this document.\r\nSource: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server\r\nhttps://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server"
	],
	"report_names": [
		"multiple-security-updates-released-for-exchange-server"
	],
	"threat_actors": [
		{
			"id": "7c969685-459b-4c93-a788-74108eab6f47",
			"created_at": "2023-01-06T13:46:39.189751Z",
			"updated_at": "2026-04-10T02:00:03.241102Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"Red Dev 13",
				"Silk Typhoon",
				"MURKY PANDA",
				"ATK233",
				"G0125",
				"Operation Exchange Marauder"
			],
			"source_name": "MISPGALAXY:HAFNIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2704d770-43b4-4bc4-8a5a-05df87416848",
			"created_at": "2022-10-25T15:50:23.306305Z",
			"updated_at": "2026-04-10T02:00:05.296581Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"HAFNIUM",
				"Operation Exchange Marauder",
				"Silk Typhoon"
			],
			"source_name": "MITRE:HAFNIUM",
			"tools": [
				"Tarrask",
				"ASPXSpy",
				"Impacket",
				"PsExec",
				"China Chopper"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "529c1ae9-4579-4245-86a6-20f4563a695d",
			"created_at": "2022-10-25T16:07:23.702006Z",
			"updated_at": "2026-04-10T02:00:04.71708Z",
			"deleted_at": null,
			"main_name": "Hafnium",
			"aliases": [
				"G0125",
				"Murky Panda",
				"Red Dev 13",
				"Silk Typhoon"
			],
			"source_name": "ETDA:Hafnium",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434913,
	"ts_updated_at": 1775792148,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/697f4f0d628697b60e077940d8b13de537afc707.pdf",
		"text": "https://archive.orkl.eu/697f4f0d628697b60e077940d8b13de537afc707.txt",
		"img": "https://archive.orkl.eu/697f4f0d628697b60e077940d8b13de537afc707.jpg"
	}
}