{
	"id": "454b53e1-6bbd-498b-90a7-ab4024d6e05e",
	"created_at": "2026-04-06T00:08:00.696788Z",
	"updated_at": "2026-04-10T13:11:58.077218Z",
	"deleted_at": null,
	"sha1_hash": "7e175d8dca5036c3000f2094b0db0a7add5da140",
	"title": "Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 826761,
	"plain_text": "Operation Exchange Marauder: Active Exploitation of Multiple\r\nZero-Day Microsoft Exchange Vulnerabilities\r\nBy mindgrub\r\nPublished: 2021-03-02 · Archived: 2026-04-05 17:15:45 UTC\r\n[UPDATE] March 8, 2021 – Since original publication of this blog, Volexity has now observed that cyber\r\nespionage operations using the SSRF vulnerability CVE-2021-26855 started occurring on January 3, 2021,\r\nthree days earlier than initially posted.\r\nVolexity is seeing active in-the-wild exploitation of multiple Microsoft Exchange vulnerabilities used to steal e-mail and compromise networks. These attacks appear to have started as early as January 6, 2021.\r\nIn January 2021, through its Network Security Monitoring service, Volexity detected anomalous activity from two\r\nof its customers’ Microsoft Exchange servers. Volexity identified a large amount of data being sent to IP addresses\r\nit believed were not tied to legitimate users. A closer inspection of the IIS logs from the Exchange servers revealed\r\nrather alarming results. The logs showed inbound POST requests to valid files associated with images, JavaScript,\r\ncascading style sheets, and fonts used by Outlook Web Access (OWA). It was initially suspected the servers might\r\nbe backdoored and that webshells were being executed through a malicious HTTP module or ISAPI filter. As a\r\nresult, Volexity started its incident response efforts and acquired system memory (RAM) and other disk artifacts to\r\ninitiate a forensics investigation. This investigation revealed that the servers were not backdoored and uncovered a\r\nzero-day exploit being used in the wild.\r\nThrough its analysis of system memory, Volexity determined the attacker was exploiting a zero-day server-side\r\nrequest forgery (SSRF) vulnerability in Microsoft Exchange (CVE-2021-26855). The attacker was using the\r\nhttps://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/\r\nPage 1 of 10\n\nvulnerability to steal the full contents of several user mailboxes. This vulnerability is remotely exploitable and\r\ndoes not require authentication of any kind, nor does it require any special knowledge or access to a target\r\nenvironment. The attacker only needs to know the server running Exchange and the account from which they want\r\nto extract e-mail.\r\nAdditionally, Volexity is providing alternative mitigations that may be used by defenders to assist in securing their\r\nMicrosoft Exchange instances. This vulnerability has been confirmed to exist within the latest version of\r\nExchange 2016 on a fully patched Windows Server 2016 server. Volexity also confirmed the vulnerability exists in\r\nExchange 2019 but has not tested against a fully patched version, although it believes they are vulnerable. It\r\nshould also be noted that is vulnerability does not appear to impact Office 365.\r\nFollowing the discovery of CVE-2021-26855, Volexity continued to monitor the threat actor and work with\r\nadditional impacted organizations. During the course of multiple incident response efforts, Volexity identified that\r\nthe attacker had managed to chain the SSRF vulnerability with another that allows remote code execution (RCE)\r\non the targeted Exchange servers (CVE-2021-27065). In all cases of RCE, Volexity has observed the attacker\r\nwriting webshells (ASPX files) to disk and conducting further operations to dump credentials, add user accounts,\r\nsteal copies of the Active Directory database (NTDS.DIT), and move laterally to other systems and environments.\r\nA patch addressing both of these vulnerabilities is expected imminently.\r\nAuthentication Bypass Vulnerability\r\nWhile Volexity cannot currently provide full technical details of the exploit and will not be sharing proof-of-concept exploit code, it is still possible to provide useful details surrounding the vulnerability’s exploitation and\r\npossible mitigations. Volexity observed the attacker focused on getting a list of e-mails from a targeted mailbox\r\nand downloading them. Based on these observations, it was possible for Volexity to further improve and automate\r\nattacks in a lab environment.\r\nThere are two methods to download e-mail with this vulnerability, depending on the way that Microsoft Exchange\r\nhas been configured. In corporate environments it is common that multiple Exchange servers will be set up. This\r\nis often done for load balancing, availability, and resource splitting purposes. While it is less common, it is also\r\npossible to run all Exchange functionality on a single server.\r\nIn the case where a single server is being used to provide the Exchange service, Volexity believes the attacker\r\nmust know the targeted user’s domain security identifier (SID) in order to access their mailbox. This is a static\r\nvalue and is not considered something secret. However, it is not something that is trivially obtained by someone\r\nwithout access to systems within a specific organization.\r\nIn a multiple server configuration, where the servers are configured in a Database Availability Group (DAG),\r\nVolexity has proven an attacker does not need to acquire a user’s domain SID to access their mailbox. The only\r\ninformation required is the e-mail address of the user they wish to target.\r\nIn order to exploit this vulnerability, the attacker must also identify the fully qualified domain name (FQDN) of\r\nthe internal Exchange server(s). Using a series of requests, Volexity determined that this information could be\r\nextracted by an attacker with only initial knowledge of the external IP address or domain name of a publicly\r\nhttps://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/\r\nPage 2 of 10\n\naccessible Exchange server. After this information is obtained, the attacker can generate and send a specially\r\ncrafted HTTP POST request to the Exchange server with an XML SOAP payload to the Exchange Web Services\r\n(EWS) API endpoint. This SOAP request, using specially crafted cookies, bypasses authentication and ultimately\r\nexecutes the underlying request specified in the XML, allowing an attacker to perform any operation on the users’\r\nmailbox.\r\nVolexity has observed this attack conducted via OWA. The exploit involved specially crafted POST requests being\r\nsent to a valid static resources that does not require authentication. Specifically, Volexity has observed POST\r\nrequests targeting files found on the following web directory:\r\n/owa/auth/Current/themes/resources/\r\nThis folder contains image, font, and cascading style sheet files. Using any of these files for the POST request\r\nappears to allow the exploit to proceed. If a file such as /owa/auth/logon.aspx or simply a folder such as\r\n/owa/auth/ were to be used, the exploit will not work.\r\nAuthentication Bypass Exploit Demonstration\r\nThe video below demonstrates the vulnerability being exploited in a lab environment:\r\nFigure 1. Video demonstrating the authentication bypass vulnerability at work in a lab environment.\r\nIn the video demonstration, the following SOAP XML payload is used to retrieve the identifiers of each email in\r\nAlice’s inbox:\r\nFigure 2. XML payload used to pull email identifiers from Alice’s inbox without authentication.\r\nThen, the following payload is used to pull down each individual email:\r\nhttps://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/\r\nPage 3 of 10\n\nFigure 3. Payload used to retrieve individual emails without authentication.\r\nRemote Code Execution Vulnerability\r\nAs mentioned in the introduction to this post, a remote code execution (RCE) exploit was also observed in use\r\nagainst multiple organizations. This RCE appears to reside within the use of the Set-OabVirtualDirectory\r\nExchangePowerShell cmdlet. Evidence of this activity can be seen in Exchange’s ECP Server logs. A snippet with\r\nthe exploit removed is shown below.\r\n;’S:CMD=Set-OabVirtualDirectory.ExternalUrl=”\u003cremoved\u003e”\r\nIIS logs for the server would show an entry similar to what is shown below; however, this URL path may be used\r\nfor items not associated with this exploit or activity.\r\n/ecp/DDI/DDIService.svc/SetObject\r\nIn this case, this simple backdoor, which Volexity has named SIMPLESEESHARP, was then used to drop a larger\r\nwebshell, named SPORTSBALL, on affected systems. Further, Volexity has observed numerous other webshells\r\nin use, such as China Chopper variants and ASPXSPY.\r\nPOST Exploitation Activity\r\nWhile the attackers appear to have initially flown largely under the radar by simply stealing e-mails, they recently\r\npivoted to launching exploits to gain a foothold. From Volexity’s perspective, this exploitation appears to involve\r\nmultiple operators using a wide variety of tools and methods for dumping credentials, moving laterally, and\r\nfurther backdooring systems. Below is a summary of the different methods and tools Volexity has observed thus\r\nfar:\r\nhttps://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/\r\nPage 4 of 10\n\nMethod/Tool Purpose\r\nrundll32 C:\\windows\\system32\\comsvcs.dll\r\nMiniDump lsass.dmp\r\nDump process memory of lsass.exe to obtain credentials\r\nPsExec\r\nWindows Sysinternals tool used to execute commands\r\non remote systems\r\nProcDump Windows Sysinternals tool to dump process memory\r\nWinRar Command Line Utility Used archive data exfiltration\r\nWebshells (ASPX and PHP)\r\nUsed to allow command execution or network proxying\r\nvia external websites\r\nDomain Account User Addition\r\nLeveraged by attackers to add their own user account\r\nand grant it privileges to provide access in the future\r\nIndicators of Compromise\r\nAuthentication Bypass Indicators\r\nIn Volexity’s observations of authentication bypass attacks being performed in the wild, files such as the following\r\nwere the targets of HTTP POST requests:\r\n/owa/auth/Current/themes/resources/logon.css\r\n/owa/auth/Current/themes/resources/owafont_ja.css\r\n/owa/auth/Current/themes/resources/lgnbotl.gif\r\n/owa/auth/Current/themes/resources/owafont_ko.css\r\n/owa/auth/Current/themes/resources/SegoeUI-SemiBold.eot\r\n/owa/auth/Current/themes/resources/SegoeUI-SemiLight.ttf\r\n/owa/auth/Current/themes/resources/lgnbotl.gif\r\nRemote Code Execution Indicators\r\nTo identify possible historical activity related to the remote code execution exploit, organizations can search their\r\nECP Server logs for the following string (or similar).\r\nS:CMD=Set-OabVirtualDirectory.ExternalUrl='\r\nECP Server logs are typically located at \u003cexchange install path\u003e\\Logging\\ECP\\Server\\\r\nWebshell Indicators\r\nhttps://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/\r\nPage 5 of 10\n\nFurther, Volexity has observed indicators that are consistent with web server breaches that can be used to look on\r\ndisk and in web logs for access to or the presence of ASPX files at the following paths:\r\n\\inetpub\\wwwroot\\aspnet_client\\ (any .aspx file under this folder or sub folders)\r\n\\\u003cexchange install path\u003e\\FrontEnd\\HttpProxy\\ecp\\auth\\ (any file besides TimeoutLogoff.aspx)\r\n\\\u003cexchange install path\u003e\\FrontEnd\\HttpProxy\\owa\\auth (any file or modified file that is not part of a\r\nstandard install)\r\n\\\u003cexchange install path\u003e\\FrontEnd\\HttpProxy\\owa\\auth\\Current\\\u003cany aspx file in this folder or\r\nsubfolders\u003e\r\n\\\u003cexchange install path\u003e\\FrontEnd\\HttpProxy\\owa\\auth\\\u003cfolder with version number\u003e\\\u003cany aspx file in\r\nthis folder or subfolders\u003e\r\nIt should be noted that Volexity has observed the attacker adding webshell code to otherwise legitimate ASPX files\r\nin an attempt to blend in and hide from defenders.\r\nWeb Log User-Agents\r\nThere are also a handful of User-Agent that may be useful for responders to look for when examining their web\r\nlogs. These are not necessarily indicative of compromise, but should be used to determine if further investigation.\r\nVolexity observed the following non-standard User-Agents associated with POST requests to the files found under\r\nfolders within /owa/auth/Current.\r\nDuckDuckBot/1.0;+(+http://duckduckgo.com/duckduckbot.html)\r\nfacebookexternalhit/1.1+(+http://www.facebook.com/externalhit_uatext.php)\r\nMozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)\r\nMozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.htm)\r\nMozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html\r\nMozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)\r\nMozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp)\r\nMozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots)\r\nMozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+\r\n(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36\r\nVolexity observed the following User-Agents in conjunction with exploitation to /ecp/ URLs.\r\nExchangeServicesClient/0.0.0.0\r\npython-requests/2.19.1\r\npython-requests/2.25.1\r\nFurther other notable User-Agent entries tied to tools used for post-exploitation access to webshells.\r\nantSword/v2.1\r\nhttps://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/\r\nPage 6 of 10\n\nGooglebot/2.1+(+http://www.googlebot.com/bot.html)\r\nMozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)\r\nAdditional Auth Bypass and RCE Indicators\r\nTo identify possible historical activity relating to the authentication bypass and RCE activity, IIS logs from\r\nExchange servers can be examined for the following:\r\nPOST /owa/auth/Current/\r\nPOST /ecp/default.flt\r\nPOST /ecp/main.css\r\nPOST /ecp/\u003csingle char\u003e.js\r\nNote that the presence of log entries with POST requests under these directories does not guarantee an Exchange\r\nserver has been exploited. However, its presence should warrant further investigation.\r\nYara signatures for non trivial webshells deployed by attackers following successful exploitation may be found in\r\nthe Appendix of this post.\r\nNetwork Indicators – Attacker IPs\r\nVolexity has observed numerous IP addresses leveraged by the attackers to exploit the vulnerabilities described in\r\nthis blog. These IP addresses are tied to VPS servers and VPN services. Volexity has also observed the attackers\r\nusing Tor, but has made attempts to remove those entries from the list below.\r\n103.77.192.219\r\n104.140.114.110\r\n104.250.191.110\r\n108.61.246.56\r\n149.28.14.163\r\n157.230.221.198\r\n167.99.168.251\r\n185.250.151.72\r\n192.81.208.169\r\n203.160.69.66\r\n211.56.98.146\r\n5.254.43.18\r\n80.92.205.81\r\nConclusion\r\nHighly skilled attackers continue to innovate in order to bypass defenses and gain access to their targets, all in\r\nsupport of their mission and goals. These particular vulnerabilities in Microsoft Exchange are no exception. These\r\nattackers are conducting novel attacks to bypass authentication, including two-factor authentication, allowing\r\nhttps://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/\r\nPage 7 of 10\n\nthem to access e-mail accounts of interest within targeted organizations and remotely execute code on vulnerable\r\nMicrosoft Exchange servers.\r\nDue to the ongoing observed exploitation of the discussed vulnerabilities, Volexity urges organizations to\r\nimmediately apply the available patches or temporarily disabling external access to Microsoft Exchange until a\r\npatch can be applied.\r\nNeed Assistance?\r\nIf you have concerns that your servers or networks may have been compromised from this vulnerability, please\r\nreach out to the Volexity team and we can help you make a determination if further investigation is warranted.\r\nAppendix\r\nrule webshell_aspx_simpleseesharp : Webshell Unclassified\r\n{\r\nmeta:\r\nauthor= “threatintel@volexity.com”\r\ndate= “2021-03-01”\r\ndescription= “A simple ASPX Webshell that allows an attacker to write further files to disk.”\r\nhash= “893cd3583b49cb706b3e55ecb2ed0757b977a21f5c72e041392d1256f31166e2”\r\nstrings:\r\n$header= “\u003c%@ Page Language=\\”C#\\” %\u003e”\r\n$body= “\u003c% HttpPostedFile thisFile = Request.Files[0];thisFile.SaveAs(Path.Combine”\r\ncondition:\r\n$header at 0 and\r\n$body and\r\nfilesize \u003c 1KB\r\n}\r\nrule webshell_aspx_reGeorgTunnel : Webshell Commodity\r\n{\r\nmeta:\r\nauthor= “threatintel@volexity.com”\r\ndate= “2021-03-01”\r\ndescription= “variation on reGeorgtunnel”\r\nhttps://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/\r\nPage 8 of 10\n\nhash= “406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928”\r\nreference= “https://github.com/sensepost/reGeorg/blob/master/tunnel.aspx”\r\nstrings:\r\n$s1= “System.Net.Sockets”\r\n$s2=\r\n“System.Text.Encoding.Default.GetString(Convert.FromBase64String(StrTr(Request.Headers.Get”\r\n$t1 = “.Split(‘|’)”\r\n$t2= “Request.Headers.Get”\r\n$t3= “.Substring(“\r\n$t4= “new Socket(“\r\n$t5= “IPAddress ip;”\r\ncondition:\r\nall of ($s*) or\r\nall of ($t*)\r\n}\r\nrule webshell_aspx_sportsball : Webshell\r\n{\r\nmeta:\r\nauthor= “threatintel@volexity.com”\r\ndate= “2021-03-01”\r\ndescription= “The SPORTSBALL webshell allows attackers to upload files or execute commands on\r\nthe system.”\r\nhash= “2fa06333188795110bba14a482020699a96f76fb1ceb80cbfa2df9d3008b5b0a”\r\nstrings:\r\n$uniq1= “HttpCookie newcook = new HttpCookie(\\”fqrspt\\”, HttpContext.Current.Request.Form”\r\n$uniq2= “ZN2aDAB4rXsszEvCLrzgcvQ4oi5J1TuiRULlQbYwldE=”\r\n$var1= “Result.InnerText = string.Empty;”\r\n$var2= “newcook.Expires = DateTime.Now.AddDays(”\r\n$var3= “System.Diagnostics.Process process = new System.Diagnostics.Process()”\r\n$var4= “process.StandardInput.WriteLine(HttpContext.Current.Request.Form[\\””\r\nhttps://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/\r\nPage 9 of 10\n\n$var5= “else if (!string.IsNullOrEmpty(HttpContext.Current.Request.Form[\\””\n$var6= “”\ncondition:\nany of ($uniq*) or\nall of ($var*)\n}\nSource: https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/\nhttps://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/"
	],
	"report_names": [
		"active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities"
	],
	"threat_actors": [
		{
			"id": "7c969685-459b-4c93-a788-74108eab6f47",
			"created_at": "2023-01-06T13:46:39.189751Z",
			"updated_at": "2026-04-10T02:00:03.241102Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"Red Dev 13",
				"Silk Typhoon",
				"MURKY PANDA",
				"ATK233",
				"G0125",
				"Operation Exchange Marauder"
			],
			"source_name": "MISPGALAXY:HAFNIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2704d770-43b4-4bc4-8a5a-05df87416848",
			"created_at": "2022-10-25T15:50:23.306305Z",
			"updated_at": "2026-04-10T02:00:05.296581Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"HAFNIUM",
				"Operation Exchange Marauder",
				"Silk Typhoon"
			],
			"source_name": "MITRE:HAFNIUM",
			"tools": [
				"Tarrask",
				"ASPXSpy",
				"Impacket",
				"PsExec",
				"China Chopper"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434080,
	"ts_updated_at": 1775826718,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7e175d8dca5036c3000f2094b0db0a7add5da140.pdf",
		"text": "https://archive.orkl.eu/7e175d8dca5036c3000f2094b0db0a7add5da140.txt",
		"img": "https://archive.orkl.eu/7e175d8dca5036c3000f2094b0db0a7add5da140.jpg"
	}
}