{
	"id": "3a694161-91e1-4b35-88a8-549df447fb2e",
	"created_at": "2026-04-06T00:16:22.89135Z",
	"updated_at": "2026-04-10T13:11:18.494308Z",
	"deleted_at": null,
	"sha1_hash": "87a55ccb55545333f13a7b1fd568e45bad4293b0",
	"title": "HAFNIUM targeting Exchange Servers with 0-day exploits | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 312310,
	"plain_text": "HAFNIUM targeting Exchange Servers with 0-day exploits |\r\nMicrosoft Security Blog\r\nBy Microsoft 365 Security, Microsoft Threat Intelligence\r\nPublished: 2021-03-02 · Archived: 2026-04-05 15:36:49 UTC\r\nUpdate [03/16/2021]: Microsoft released updated tools and investigation guidance to help IT Pros and incident\r\nresponse teams identify, remediate, defend against associated attacks: Guidance for responders: Investigating and\r\nremediating on-premises Exchange Server vulnerabilities.\r\nUpdate [03/15/2021]: Microsoft released a new one-click mitigation tool, the Microsoft Exchange On-Premises\r\nMitigation Tool, to help customers who do not have dedicated security or IT teams to apply security updates for\r\nMicrosoft Exchange Server. \r\nUpdate [03/08/2021]: Microsoft continues to see multiple actors taking advantage of unpatched systems to attack\r\norganizations with on-premises Exchange Server. To aid defenders in investigating these attacks where Microsoft\r\nsecurity products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise\r\n(IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in\r\nboth JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE: CSV\r\nformat | JSON format\r\nUpdate [03/05/2021]: Microsoft sees increased use of these vulnerabilities in attacks targeting unpatched systems\r\nby multiple malicious actors beyond HAFNIUM. To aid customers in investigating these attacks, Microsoft\r\nSecurity Response Center (MSRC) has provided additional resources, including new mitigation guidance:\r\nMicrosoft Exchange Server Vulnerabilities Mitigations – March 2021\r\nUpdate [03/04/2021]: The Exchange Server team released a script for checking HAFNIUM indicators of\r\ncompromise (IOCs). See Scan Exchange log files for indicators of compromise.\r\nMicrosoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange\r\nServer in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access\r\non-premises Exchange servers which enabled access to email accounts, and allowed installation of additional\r\nmalware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC)\r\nattributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating\r\nout of China, based on observed victimology, tactics and procedures.\r\nThe vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and\r\nCVE-2021-27065, all of which were addressed in today’s Microsoft Security Response Center (MSRC) release –\r\nMultiple Security Updates Released for Exchange Server. We strongly urge customers to update on-premises\r\nsystems immediately. Exchange Online is not affected. We have established a resource center that is constantly\r\nupdated as more information becomes available at https://aka.ms/ExchangeVulns.\r\nhttps://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers\r\nPage 1 of 8\n\nWe are sharing this information with our customers and the security community to emphasize the critical nature of\r\nthese vulnerabilities and the importance of patching all affected systems immediately to protect against these\r\nexploits and prevent future abuse across the ecosystem. This blog also continues our mission to shine a light on\r\nmalicious actors and elevate awareness of the sophisticated tactics and techniques used to target our customers.\r\nThe related IOCs, Azure Sentinel advanced hunting queries, and Microsoft Defender for Endpoint product\r\ndetections and queries shared in this blog will help SOCs proactively hunt for related activity in their\r\nenvironments and elevate any alerts for remediation.\r\nMicrosoft would like to thank our industry colleagues at Volexity and Dubex for reporting different parts of the\r\nattack chain and their collaboration in the investigation. Volexity has also published a blog post with their analysis.\r\nIt is this level of proactive communication and intelligence sharing that allows the community to come together to\r\nget ahead of attacks before they spread and improve security for all.\r\nWho is HAFNIUM?\r\nHAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious\r\ndisease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.\r\nHAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has\r\nused legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to\r\na victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.\r\nIn campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office\r\n365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity\r\nhelps the adversary identify more details about their targets’ environments.\r\nHAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.\r\nTechnical details\r\nMicrosoft is providing the following details to help our customers understand the techniques used by HAFNIUM\r\nto exploit these vulnerabilities and enable more effective defense against any future attacks against unpatched\r\nsystems.\r\nCVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to\r\nsend arbitrary HTTP requests and authenticate as the Exchange server.\r\nCVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure\r\ndeserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability\r\ngave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator\r\npermission or another vulnerability to exploit.\r\nCVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could\r\nauthenticate with the Exchange server then they could use this vulnerability to write a file to any path on the\r\nserver. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a\r\nlegitimate admin’s credentials.\r\nhttps://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers\r\nPage 2 of 8\n\nCVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could\r\nauthenticate with the Exchange server then they could use this vulnerability to write a file to any path on the\r\nserver. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a\r\nlegitimate admin’s credentials.\r\nAttack details\r\nAfter exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the\r\ncompromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions\r\nthat lead to further compromise. One example of a web shell deployed by HAFNIUM, written in ASP, is below:\r\nFollowing web shell deployment, HAFNIUM operators performed the following post-exploitation activity:\r\nUsing Procdump to dump the LSASS process memory:\r\nUsing 7-Zip to compress stolen data into ZIP files for exfiltration:\r\nAdding and using Exchange PowerShell snap-ins to export mailbox data:\r\nUsing the Nishang Invoke-PowerShellTcpOneLine reverse shell:\r\nDownloading PowerCat from GitHub, then using it to open a connection to a remote server:\r\nHAFNIUM operators were also able to download the Exchange offline address book from compromised systems,\r\nwhich contains information about an organization and its users.\r\nhttps://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers\r\nPage 3 of 8\n\nOur blog, Defending Exchange servers under attack, offers advice for improving defenses against Exchange server\r\ncompromise. Customers can also find additional guidance about web shell attacks in our blog Web shell attacks\r\ncontinue to rise.\r\nCan I determine if I have been compromised by this activity?\r\nThe below sections provide indicators of compromise (IOCs), detection guidance, and advanced hunting queries\r\nto help customers investigate this activity using Exchange server logs, Azure Sentinel, Microsoft Defender for\r\nEndpoint, and Microsoft 365 Defender. We encourage our customers to conduct investigations and implement\r\nproactive detections to identify possible prior campaigns and prevent future campaigns that may target their\r\nsystems.\r\nCheck patch levels of Exchange Server\r\nThe Microsoft Exchange Server team has published a blog post on these new Security Updates providing a script\r\nto get a quick inventory of the patch-level status of on-premises Exchange servers and answer some basic\r\nquestions around installation of these patches.\r\nScan Exchange log files for indicators of compromise\r\nThe Exchange Server team has created a script to run a check for HAFNIUM IOCs to address performance and\r\nmemory concerns. That script is available here: https://github.com/microsoft/CSS-Exchange/tree/main/Security.\r\nCVE-2021-26855 exploitation can be detected via the following Exchange HttpProxy logs:\r\nThese logs are located in the following directory: %PROGRAMFILES%\\Microsoft\\Exchange\r\nServer\\V15\\Logging\\HttpProxy\r\nExploitation can be identified by searching for log entries where the AuthenticatedUser is empty\r\nand the AnchorMailbox contains the pattern of ServerInfo~*/*\r\nHere is an example PowerShell command to find these log entries:\r\nImport-Csv -Path (Get-ChildItem -Recurse -Path \"$env:PROGRAMFILES\\Microsoft\\Exchange\r\nServer\\V15\\Logging\\HttpProxy\" -Filter '*.log').FullName | Where-Object { $_.AnchorMailbox -like\r\n'ServerInfo~*/*' -or $_.BackEndCookie -like 'Server~*/*~*'} | select DateTime, AnchorMailbox, UrlStem,\r\nRoutingHint, ErrorCode, TargetServerVersion, BackEndCookie, GenericInfo, GenericErrors, UrlHost,\r\nProtocol, Method, RoutingType, AuthenticationType, ServerHostName, HttpStatus, BackEndStatus,\r\nUserAgent\r\nCVE-2021-26858 exploitation can be detected via the Exchange log files:\r\nC:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\OABGeneratorLog\r\nFiles should only be downloaded to the %PROGRAMFILES%\\Microsoft\\Exchange\r\nServer\\V15\\ClientAccess\\OAB\\Temp directory\r\nIn case of exploitation, files are downloaded to other directories (UNC or local paths)\r\nWindows command to search for potential exploitation:\r\nhttps://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers\r\nPage 4 of 8\n\nfindstr /snip /c:\"Download failed and temporary file\" \"%PROGRAMFILES%\\Microsoft\\Exchange\r\nServer\\V15\\Logging\\OABGeneratorLog\\*.log\"\r\nCVE-2021-26857 exploitation can be detected via the Windows Application event logs\r\nExploitation of this deserialization bug will create Application events with the following properties:\r\nSource: MSExchange Unified Messaging\r\nEntryType: Error\r\nEvent Message Contains: System.InvalidCastException\r\nFollowing is PowerShell command to query the Application Event Log for these log entries:\r\nGet-EventLog -LogName Application -Source \"MSExchange Unified Messaging\" -EntryType Error | Where-Object { $_.Message -like \"*System.InvalidCastException*\" }\r\nCVE-2021-27065 exploitation can be detected via the following Exchange log files:\r\nC:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\ECP\\Server\r\nAll Set-\u003cAppName\u003eVirtualDirectory properties should never contain script. InternalUrl and ExternalUrl should\r\nonly be valid Uris.\r\nSelect-String -Path \"$env:PROGRAMFILES\\Microsoft\\Exchange Server\\V15\\Logging\\ECP\\Server\\*.log\" -\r\nPattern 'Set-.+VirtualDirectory'\r\nHost IOCs\r\nMicrosoft is releasing a feed of observed indicators of compromise (IOCs) in related attacks. This feed is available\r\nin both CSV and JSON formats. This information is being shared as TLP:WHITE.\r\nHashes\r\nWeb shell hashes\r\nb75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0\r\n097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e\r\n2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1\r\n65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5\r\n511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1\r\n4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea\r\n811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d\r\n1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944\r\nPaths\r\nWe observed web shells in the following paths:\r\nC:\\inetpub\\wwwroot\\aspnet_client\\\r\nC:\\inetpub\\wwwroot\\aspnet_client\\system_web\\\r\nhttps://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers\r\nPage 5 of 8\n\nIn Microsoft Exchange Server installation paths such as:\r\n%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\\r\nC:\\Exchange\\FrontEnd\\HttpProxy\\owa\\auth\\\r\nThe web shells we detected had the following file names:\r\nweb.aspx\r\nhelp.aspx\r\ndocument.aspx\r\nerrorEE.aspx\r\nerrorEEE.aspx\r\nerrorEW.aspx\r\nerrorFF.aspx\r\nhealthcheck.aspx\r\naspnet_www.aspx\r\naspnet_client.aspx\r\nxx.aspx\r\nshell.aspx\r\naspnet_iisstart.aspx\r\none.aspx\r\n Check for suspicious .zip, .rar, and .7z files in C:\\ProgramData\\, which may indicate possible data exfiltration.\r\nCustomers should monitor these paths for LSASS dumps:\r\nC:\\windows\\temp\\\r\nC:\\root\\\r\nTools\r\nProcdump\r\nNishang\r\nPowerCat\r\nMany of the following detections are for post-breach techniques used by HAFNIUM. So while these help detect\r\nsome of the specific current attacks that Microsoft has observed it remains very important to apply the recently\r\nreleased updates for CVE-2021-26855, CVE-2021-26857, CVE-2021-27065 and CVE-2021-26858.\r\nMicrosoft Defender Antivirus detections\r\nPlease note that some of these detections are generic detections and not unique to this campaign or these exploits.\r\nExploit:Script/Exmann.A!dha\r\nBehavior:Win32/Exmann.A\r\nBackdoor:ASP/SecChecker.A\r\nBackdoor:JS/Webshell (not unique)\r\nhttps://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers\r\nPage 6 of 8\n\nTrojan:JS/Chopper!dha (not unique)\r\nBehavior:Win32/DumpLsass.A!attk (not unique)\r\nBackdoor:HTML/TwoFaceVar.B (not unique)\r\nMicrosoft Defender for Endpoint detections\r\nSuspicious Exchange UM process creation\r\nSuspicious Exchange UM file creation\r\nPossible web shell installation (not unique)\r\nProcess memory dump (not unique)\r\nAzure Sentinel detections\r\nHAFNIUM Suspicious Exchange Request\r\nHAFNIUM UM Service writing suspicious file\r\nHAFNIUM New UM Service Child Process\r\nHAFNIUM Suspicious UM Service Errors\r\nHAFNIUM Suspicious File Downloads\r\nAdvanced hunting queries\r\nTo locate possible exploitation activity related to the contents of this blog, you can run the following advanced\r\nhunting queries via Microsoft Defender for Endpoint and Azure Sentinel:\r\nMicrosoft Defender for Endpoint advanced hunting queries\r\nMicrosoft 365 Defender customers can find related hunting queries below or at this GitHub location:\r\nhttps://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/\r\nAdditional queries and information are available via Threat Analytics portal for Microsoft Defender customers.\r\nUMWorkerProcess.exe in Exchange creating abnormal content\r\nLook for Microsoft Exchange Server’s Unified Messaging service creating non-standard content on disk, which\r\ncould indicate web shells or other malicious content, suggesting exploitation of CVE-2021-26858 vulnerability:\r\nDeviceFileEvents | where InitiatingProcessFileName == \"UMWorkerProcess.exe\" | where FileName !=\r\n\"CacheCleanup.bin\" | where FileName !endswith \".txt\" | where FileName !endswith \".LOG\" | where\r\nFileName !endswith \".cfg\" | where FileName != \"cleanup.bin\"\r\nUMWorkerProcess.exe spawning\r\nLook for Microsoft Exchange Server’s Unified Messaging service spawning abnormal subprocesses, suggesting\r\nexploitation of CVE-2021-26857 vulnerability:\r\nhttps://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers\r\nPage 7 of 8\n\nDeviceProcessEvents | where InitiatingProcessFileName == \"UMWorkerProcess.exe\" | where FileName !=\r\n\"wermgr.exe\" | where FileName != \"WerFault.exe\"\r\nPlease note excessive spawning of wermgr.exe and WerFault.exe could be an indicator of compromise due to the\r\nservice crashing during deserialization.\r\nAzure Sentinel advanced hunting queries\r\nAzure Sentinel customers can find a Sentinel query containing these indicators in the Azure Sentinel Portal or at\r\nthis GitHub location: https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/.\r\nLook for Nishang Invoke-PowerShellTcpOneLine in Windows Event Logging:\r\nSecurityEvent | where EventID == 4688 | where Process has_any (\"powershell.exe\",\r\n\"PowerShell_ISE.exe\") | where CommandLine has \"$client = New-Object System.Net.Sockets.TCPClient\"\r\nLook for downloads of PowerCat in cmd and Powershell command line logging in Windows Event Logs:\r\nLook for Exchange PowerShell Snapin being loaded. This can be used to export mailbox data, subsequent\r\ncommand lines should be inspected to verify usage:\r\nSecurityEvent | where EventID == 4688 | where Process has_any (\"cmd.exe\", \"powershell.exe\",\r\n\"PowerShell_ISE.exe\") | where isnotempty(CommandLine) | where CommandLine contains \"Add-PSSnapin\r\nMicrosoft.Exchange.Powershell.Snapin\" | summarize FirstSeen = min(TimeGenerated), LastSeen =\r\nmax(TimeGenerated) by Computer, Account, CommandLine\r\nSource: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers\r\nhttps://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers"
	],
	"report_names": [
		"hafnium-targeting-exchange-servers"
	],
	"threat_actors": [
		{
			"id": "7c969685-459b-4c93-a788-74108eab6f47",
			"created_at": "2023-01-06T13:46:39.189751Z",
			"updated_at": "2026-04-10T02:00:03.241102Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"Red Dev 13",
				"Silk Typhoon",
				"MURKY PANDA",
				"ATK233",
				"G0125",
				"Operation Exchange Marauder"
			],
			"source_name": "MISPGALAXY:HAFNIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2704d770-43b4-4bc4-8a5a-05df87416848",
			"created_at": "2022-10-25T15:50:23.306305Z",
			"updated_at": "2026-04-10T02:00:05.296581Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"HAFNIUM",
				"Operation Exchange Marauder",
				"Silk Typhoon"
			],
			"source_name": "MITRE:HAFNIUM",
			"tools": [
				"Tarrask",
				"ASPXSpy",
				"Impacket",
				"PsExec",
				"China Chopper"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "529c1ae9-4579-4245-86a6-20f4563a695d",
			"created_at": "2022-10-25T16:07:23.702006Z",
			"updated_at": "2026-04-10T02:00:04.71708Z",
			"deleted_at": null,
			"main_name": "Hafnium",
			"aliases": [
				"G0125",
				"Murky Panda",
				"Red Dev 13",
				"Silk Typhoon"
			],
			"source_name": "ETDA:Hafnium",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434582,
	"ts_updated_at": 1775826678,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/87a55ccb55545333f13a7b1fd568e45bad4293b0.pdf",
		"text": "https://archive.orkl.eu/87a55ccb55545333f13a7b1fd568e45bad4293b0.txt",
		"img": "https://archive.orkl.eu/87a55ccb55545333f13a7b1fd568e45bad4293b0.jpg"
	}
}