{ "id": "b0f14b25-6ffc-4b94-b32b-e461f3eabd9a", "created_at": "2026-04-06T00:21:18.45491Z", "updated_at": "2026-04-10T13:11:40.803521Z", "deleted_at": null, "sha1_hash": "c7ddce91b43f0b7cea7ce35d362e73745acb9e49", "title": "Microsoft Exchange Server Attack Timeline", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 471247, "plain_text": "Microsoft Exchange Server Attack Timeline\r\nBy Unit 42\r\nPublished: 2021-03-11 · Archived: 2026-04-02 12:41:59 UTC\r\nExecutive Summary\r\nOn March 2, the world was introduced to four critical zero-day vulnerabilities impacting multiple versions of\r\nMicrosoft Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065).\r\nAlongside revealing these vulnerabilities, Microsoft published security updates and technical guidance that\r\nstressed the importance of patching immediately, while concurrently noting active and ongoing exploitation by an\r\nAdvanced Persistent Threat (APT) they call HAFNIUM. Since the initial attacks, Unit 42 and a number of other\r\nthreat intelligence teams have seen multiple threat groups now exploiting these zero-day vulnerabilities in the\r\nwild. Both the vulnerabilities themselves and the access that can be achieved by exploiting them are significant. It\r\nis therefore unsurprising that multiple attackers sought and continue to seek to compromise vulnerable systems\r\nbefore they are patched by network administrators. This has been going on at an unprecedented scale – as of\r\nMarch 8, based on telemetry collected from the Palo Alto Networks Expanse platform, we estimated there\r\nremained over 125,000 unpatched Exchange Servers in the world.\r\nBased on the reconstructed timeline, it’s now clear that there were at least 58 days between the first known\r\nexploitation of this vulnerability on Jan. 3 and when Microsoft released the patch on March 2. Applying the patch\r\nis a necessary first step, but insufficient given the amount of time the exploit was in the wild. The act of patching\r\nwill not remediate any access that attackers may have already gained to vulnerable systems. Organizations can\r\nlook to our remediation guide for steps they can take to ensure they have properly secured their Exchange Servers.\r\nAs we enter the second week since the vulnerabilities became public, initial estimates place the number of\r\ncompromised organizations in the tens of thousands, thereby dwarfing the impact of the recent SolarStorm supply\r\nchain attack in terms of victims and estimated remediation costs globally. Given the importance of this event, we\r\nare publishing a timeline of the attack based on our extensive research into the information currently available to\r\nus and our direct experience defending against these attacks. As the situation continues to unfold, we urge others\r\nto also share what they uncover so that we as a cybersecurity community get a complete picture as quickly as\r\npossible.\r\nMicrosoft Exchange Server Attack Timeline Summary\r\nThis story begins over six months ago when DevCore, a Taiwan-based security consulting firm, first initiated a\r\nproject to explore the security of Microsoft Exchange Server products. In the two-month window between\r\nOctober and December 2020, DevCore researchers made considerable progress that ultimately led to the discovery\r\nof a pre-authentication proxy vulnerability on Dec. 10, 2020. This vulnerability was given the name ProxyLogon\r\nby DevCore and is now known publicly as CVE-2021-26855.\r\nhttps://unit42.paloaltonetworks.com/microsoft-exchange-server-attack-timeline/\r\nPage 1 of 5\n\nFollowing this initial discovery, on Dec. 27, 2020, DevCore researchers demonstrated that this vulnerability could\r\nbe leveraged to perform authentication bypass, thereby granting its users administrator-level permissions on\r\nvulnerable Exchange Servers. Shortly after this discovery, on Dec. 30, 2020, DevCore also discovered a second\r\npost-authentication file write bug that could be chained together with the first vulnerability to gain privileged\r\naccess to Exchange Servers and write files of an attacker’s choosing to any directory. This second vulnerability is\r\nnow known publicly as CVE-2021-27065.\r\nGiven the time of year and the existence of a long New Year’s holiday weekend, DevCore reached out and\r\nnotified Microsoft of the vulnerabilities on the following Tuesday (Jan. 5, 2021). At the time, the researcher\r\ncredited with the discovery of the vulnerabilities tweeted publicly.\r\nAt that point, attacks were already appearing in the wild. Volexity, a US-based security firm, reported attacks\r\ninvolving the ProxyLogon vulnerability as early as Jan. 3. On Feb. 2, the firm also reported to Microsoft\r\ninformation about attacks that occurred on Jan. 6.\r\nConcurrently, it is now believed that Dubex, a Denmark-based security firm, first noted active exploitation of the\r\nMicrosoft Exchange UMWorkerProcess on Jan. 18, 2021. This vulnerability is now known as CVE-2021-26857.\r\nIt was used by an adversary to install webshells on vulnerable servers consistent with the attacks noted by\r\nVolexity. It has been reported that Dubex notified Microsoft of its findings on Jan. 27, less than 10 days after\r\ninitial discovery.\r\nhttps://unit42.paloaltonetworks.com/microsoft-exchange-server-attack-timeline/\r\nPage 2 of 5\n\nWith two cybersecurity vendors providing evidence of active exploitation, DevCore followed up with Microsoft\r\non Feb. 18, 2021. During the exchange, DevCore provided a draft advisory notice and requested details\r\nconcerning the patch release timeline. At the time, Microsoft shared that they planned to release the patches on\r\nMarch 9.\r\nOn Feb. 27, 2021 Microsoft notified DevCore that they were almost ready to release the security patches. That\r\nsame day, the cybersecurity community observed an uptick in unusual webshell activity, and over the following\r\ntwo days, evidence suggests multiple threat groups began active exploitation activities. ESET reported three\r\nseparate groups (Tick, LuckyMouse and Calypso) and our own analysis of webshells deployed in this window has\r\nidentified six unique passwords and clusters of activity that further support the claim of multiple threat groups. It\r\nis also worth noting that one of the passwords observed on Feb. 28, 2021 was the name “orange,” which may\r\nserve as a reference to the researcher who originally discovered the vulnerability.\r\nOn March 2, 2021, a week earlier than initially planned, Microsoft published security updates for the four\r\nvulnerabilities. In doing so, they also warned of active exploitation of these vulnerabilities by a group they named\r\nHAFNIUM and further described as a state-sponsored APT operating out of China.\r\nIn the days following the publication of the CVEs, the cybersecurity community has witnessed a surge of attacks\r\nas malicious actors seek to capitalize on the vulnerabilities before network defenders deploy patches. Over the\r\npast week, we have also identified the emergence of several new webshell passwords and clusters of activity that\r\nhave overlapping victim populations. Thus, we currently assess that several additional threat actors with varying\r\nmotives have launched efforts to exploit these vulnerabilities as well.\r\nFinally, in terms of the timeline, it is important to consider that while the Microsoft security updates were released\r\non March 2, 2021, applying these updates only protects organizations from continued or future exploitation of\r\nhttps://unit42.paloaltonetworks.com/microsoft-exchange-server-attack-timeline/\r\nPage 3 of 5\n\nthese vulnerabilities. The security updates do not provide any protection from previous exploitation that may have\r\nresulted in compromise prior to the publication of the updates.\r\nAs documented above, there is definitive evidence that these exploits were in active use as far back as early\r\nJanuary, thus resulting in at least a two-month window of vulnerability. However, a lack of evidence of\r\nexploitation prior to January should not be misinterpreted as a lack of adversary activity.\r\nhttps://unit42.paloaltonetworks.com/microsoft-exchange-server-attack-timeline/\r\nPage 4 of 5\n\nFigure 1. High-level timeline of activity\r\nConclusion\r\nOngoing research illustrates that these vulnerabilities are being used by multiple threat groups. While it is not new\r\nfor highly skilled attackers to leverage new vulnerabilities across varying product ecosystems, the ways in which\r\nthese attacks are conducted to bypass authentication -- thereby providing unauthorized access to emails and\r\nenabling remote code execution (RCE) -- is particularly nefarious.\r\nUnit 42 fully expects attacks leveraging these vulnerabilities to not only continue, but to increase in scope, likely\r\nincluding more varied attacks with different motivations, such as ransomware infection and/or distribution. Due to\r\nthe fact that active attacks from various threat groups leveraging these vulnerabilities is ongoing, it’s imperative to\r\nnot only patch affected systems, but also follow the guidance outlined from Unit 42’s previous remediation blog.\r\nSource: https://unit42.paloaltonetworks.com/microsoft-exchange-server-attack-timeline/\r\nhttps://unit42.paloaltonetworks.com/microsoft-exchange-server-attack-timeline/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/microsoft-exchange-server-attack-timeline/" ], "report_names": [ "microsoft-exchange-server-attack-timeline" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "3c5b0e7e-2388-4b63-9b97-6b027bec4bf7", "created_at": "2023-01-06T13:46:39.068694Z", "updated_at": "2026-04-10T02:00:03.202867Z", "deleted_at": null, "main_name": "Calypso", "aliases": [ "BRONZE MEDLEY" ], "source_name": "MISPGALAXY:Calypso", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "13d9c5fc-af82-4474-90dd-188c4e40a399", "created_at": "2022-10-25T16:07:23.435079Z", "updated_at": "2026-04-10T02:00:04.601572Z", "deleted_at": null, "main_name": "Calypso", "aliases": [ "Bronze Medley" ], "source_name": "ETDA:Calypso", "tools": [ "Agent.dhwf", "Byeby", "Calypso RAT", "DCSync", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EternalBlue", "EternalRomance", "FlyingDutchman", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "NBTscan", "OS_Check_445", "PlugX", "Quarks PwDump", "RedDelta", "SAMRID", "Sogu", "SysInternals", "TCP Port Scanner", "TIGERPLUG", "TVT", "Thoper", "Whitebird", "Xamtrav", "ZXPortMap", "nbtscan", "netcat" ], "source_id": "ETDA", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434878, "ts_updated_at": 1775826700, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c7ddce91b43f0b7cea7ce35d362e73745acb9e49.pdf", "text": "https://archive.orkl.eu/c7ddce91b43f0b7cea7ce35d362e73745acb9e49.txt", "img": "https://archive.orkl.eu/c7ddce91b43f0b7cea7ce35d362e73745acb9e49.jpg" } }