{
	"id": "5f007389-6d68-47cc-9ada-04e674d97b06",
	"created_at": "2026-04-06T00:17:19.811057Z",
	"updated_at": "2026-04-10T03:35:48.56741Z",
	"deleted_at": null,
	"sha1_hash": "ff0c64bc5af60cf58e220e97964af1fc81cf77c5",
	"title": "Microsoft Exchange Breach in Jan. 2021",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 55723,
	"plain_text": "Microsoft Exchange Breach in Jan. 2021\r\nBy By: Nitesh Surana Apr 14, 2021 Read time: 5 min (1258 words)\r\nPublished: 2021-04-14 · Archived: 2026-04-05 14:23:33 UTC\r\nCould the Microsoft Exchange breach be stopped?\r\nA look at the latest Microsoft zero-day exploits and how Trend Micro could help protect you.\r\nLast March it seemed the world came to a stand-still as the COVID-19 pandemic begin to rapidly spread. While\r\nbusinesses, sporting events, and schools started shutting down, cybercriminals remained active as ever. In 2020,\r\nthe Trend Micro Zero Day Initiative™ (ZDI) published 1,453 advisoriesopen on a new tab, the most ever in the\r\nhistory of the program. More startling is the fact that 18.6% of all disclosures were published without a fix from\r\nthe vendor—another record-breaking stat.\r\nAs ZDI predicted, 2021 continued to be a busy year. In March 2021, Microsoft kicked off the patch cycle early\r\nafter releasing an advisoryopen on a new tab regarding the mass exploitation of four zero-days vulnerabilities by a\r\nChinese Hacking group, HAFNIUM, on the on-premises versions of the Microsoft Exchange Server. In the\r\nfollowing days of the attack, Trend Micro reported that at least 30,000 organizations were thought to have been\r\nattacked in the US, and 63,000 servers remained exposed to these exploits.\r\nThe vulnerability has been dubbed as ProxyLogonopen on a new tab by the researchers at DEVCORE, who are\r\ncredited with finding the bugs in the proxy architecture and the logon mechanism of Exchange. DEVCORE\r\nreported two of the four zero-days (CVE-2021-26855open on a new tab and CVE-2021-27065open on a new tab)\r\nto Microsoft Security Response Center (MSRC). On March 2, Volexityopen on a new tab reported in-the-wild\r\nexploitation of the vulnerabilities, to which DEVCORE confirmedopen on a new tab that the exploit observed by\r\nVolexity was the one submitted to MSRC.\r\nSince then, there has been opportunistic exploitation by various threat actors and ransomware groups (Dearcry,\r\nBlackKingdom) since majority of Outlook Web App portals are public and indexed by search engines like Google\r\nSearch, Shodan, Binaryedge, Censys, Zoomeye etc. According to Shodanopen on a new tab, on March 4, there\r\nwere more than 266,000 Exchange Servers vulnerable to the ProxyLogon vulnerability, a day after the patch was\r\nreleased.\r\nShodan Results\r\nFig - Shodan Results\r\nIn lieu of these exploits, let’s take a look at how Trend Micro Vision One™ and Trend Micro Cloud One™ can\r\nprovide protection against two of the four zero-days, CVE-2021-26855 and CVE-2021-27065.\r\nOverview:\r\nTwo bugs are chained to achieve the remote code execution and for the attack to be successful, an attacker\r\nhttps://www.trendmicro.com/en_us/research/21/d/could-the-microsoft-exchange-breach-be-stopped.html\r\nPage 1 of 5\n\nrequires access to the Outlook Web App portal of the vulnerable Exchange Server, and a valid email address.\r\n1. CVE-2021-26855: Microsoft Exchange Server Remote Code Execution Vulnerability (pre-authenticated\r\nServer-Side Request Forgery [SSRF])\r\n2. CVE-2021-27065: Microsoft Exchange Server Remote Code Execution Vulnerability (post-authenticated\r\nArbitrary File Write)\r\n \r\nMS Exchange Client Access Protocol Architecture\r\nFig - MS Exchange Client Access Protocol Architecture\r\nThe Client Access services (Outlook Web App portal) proxies the incoming connections to the Backend services.\r\nAs per the Exchange documentationopen on a new tab, clients don’t directly connect to the backend services. But\r\nbecause of the SSRF vulnerability, attackers can query the internal backend services and APIs on the Exchange\r\nServer, bypassing the frontend proxy.\r\nBy abusing the SSRF, attackers can create session IDs and access tokens for privileged accounts with the context\r\nof the Exchange Control Panel, which can be used to write files with attacker-controlled content at a location on\r\nthe target server, chosen by the attacker. Since Exchange depends on Internet Information Services (IIS)\r\nwebserver, an attacker can write ASPX webshells and run arbitrary commands as SYSTEM on the Exchange\r\nServer.\r\nIn January 2021, we came across extensive use of Chopper ASPX webshells in targeted attacks by malicious\r\nactors to establish persistence and a foothold on the public-facing Outlook Web App servers.\r\nTrend Micro Cloud One™ – Workload Security Correlation:\r\nTrend Micro Cloud One™ – Workload Security is a cloud-native solution that provides automated security via\r\npowerful APIs. Security as code allows DevOps teams to bake security into their build pipeline to release\r\ncontinuously and frequently, so developers like yourself, can keep working without disruption from security.\r\nWorkload Security uses advanced security controls such as intrusion prevention system (IPS), deep packet\r\ninspection (DPI), and integrity monitoring to protect Exchange Servers from attackers that could exploit\r\nProxyLogon. The following detection rules safeguard a vulnerable Exchange Server from the CVEs reported:\r\nIntrusion Prevention System detections:\r\n1. 1010854 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26855)\r\n2. 1010868 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-27065)\r\n3. 1010870 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-27065) – 1\r\n4. 1007170 - Identified Suspicious China Chopper Webshell Communication (ATT\u0026CK T1100)\r\n5. 1005934 - Identified Suspicious Command Injection Attack\r\nIntegrity Monitoring detections:\r\n1. 1010855 - Microsoft Exchange - HAFNIUM Targeted Vulnerabilities\r\nImage 2\r\nhttps://www.trendmicro.com/en_us/research/21/d/could-the-microsoft-exchange-breach-be-stopped.html\r\nPage 2 of 5\n\n1010854 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26855)\r\n1007170 - Identified Suspicious China Chopper Webshell Communication (ATT\u0026CK T1100)\r\n1007170 - Identified Suspicious China Chopper Webshell Communication (ATT\u0026CK T1100)\r\n1010870 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-27065)\r\n- 1\r\n1010870 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-27065) -\r\n1\r\n1005934 - Identified Suspicious Command Injection Attack\r\n1005934 - Identified Suspicious Command Injection Attack\r\n1010855 - Microsoft Exchange - HAFNIUM Targeted Vulnerabilities\r\n1010855 - Microsoft Exchange - HAFNIUM Targeted Vulnerabilities\r\nTrend Micro Vision One™ Correlation:\r\nMicrosoft Exchange Server RCE Vulnerability (CVE-2021-26855 + CVE-2021-27065)\r\nFig - Microsoft Exchange Server RCE Vulnerability (CVE-2021-26855 + CVE-2021-27065)\r\nTrend Micro Vision One™ is a purpose-built, threat defense platform with extended detection and response\r\n(XDR) capabilities that work to prevent majority of attacks with automated protection. The solution allows you to\r\nsee more and respond faster by collecting and correlating data across email, endpoints, servers, cloud workloads,\r\nand networks.\r\nUsing the Trend Micro Vision One Workbenchopen on a new tab, you can easily see what threats were detected,\r\nattack techniques, and a prioritized list of risky devices and users. With Trend Micro Vision One, we ran a public\r\nproof of concept (PoC) availableopen on a new tab online exploiting the ProxyLogon vulnerability. The above\r\nimage shows the vulnerability detected and all the assets related to the alert for further investigation. Let’s take a\r\ndeeper look:\r\nPotential Chopper Webshell Detection\r\nFig - Potential Chopper Webshell Detection\r\nThe Potential Chopper Webshell Execution model triggers when the web shell is already present on the machine\r\nand is being used as a backdoor to run commands as SYSTEM on the Exchange Server using China Chopper.\r\nThe metrics provided by this model should be investigated carefully, since the ProxyLogon zero-day vulnerability\r\nwas exploited in-the-wild, before Microsoft addressed the issue publicly. Microsoft has since taken things a step\r\nfurther by creating patchesopen on a new tab for out-of-support versions of Exchange. Overall, Microsoft released\r\npatches for 89 unique CVEs in March—14 of which were listed as Critical and 75 listed as Important in severity.\r\nhttps://www.trendmicro.com/en_us/research/21/d/could-the-microsoft-exchange-breach-be-stopped.html\r\nPage 3 of 5\n\nMicrosoft Exchange Server Possible ASPX Web Shell\r\nFig - Microsoft Exchange Server Possible ASPX Web Shell\r\nThe above model triggers when a new web shell is created. You can see the path and name of the web shell.\r\nPotential Chopper Webshell Execution\r\nFig - Potential Chopper Webshell Execution\r\nIdentified Suspicious China Chopper Webshell Communication\r\nFig - Identified Suspicious China Chopper Webshell Communication\r\nPossible Credential Dumping via Command Line\r\nFig - Possible Credential Dumping via Command Line\r\nThis model is triggered when an attacker fetches the credentials using a command-line from within the memory\r\nusing Mimikatz. Since the web shell runs as the SYSTEM user, an attacker can fetch the NT LAN Manager\r\n(NTLM) hashes of the logged-in users, create or delete accounts, and perform extensive post-exploitation\r\nactivities on the Exchange Server.\r\nExecuting Mimikatz as SYSTEM using CC\r\nFigure - Executing Mimikatz as SYSTEM using CC\r\nSystem Owner User Discovery\r\nFig - System Owner User Discovery\r\nThe above event was triggered when we ran whoami from within the Chopper web shell. Since requests to the\r\nASPX web shell are handled by the privileged w3wp.exe, an IIS Worker Process in the configured IIS application\r\npool (Microsoft Exchange App pool) runs the commands in the context of NT Authority\\SYSTEM user.\r\nRCA Diagrams:\r\nExecuting commands using Chopper CnC\r\nFig. Executing commands using Chopper CnC\r\nConclusion\r\nThere is no silver bullet when it comes to cybersecurity but using solutions that bake into your development\r\npipeline to provide security as early as possible is better than scrambling for patches after deployment. Quick and\r\neasy to deploy solutions like Trend Micro Cloud One and Trend Micro Vision One can provide you with SecOps-approved security from build-time to runtime without slowing you down. Imagine that!\r\nTags\r\nhttps://www.trendmicro.com/en_us/research/21/d/could-the-microsoft-exchange-breach-be-stopped.html\r\nPage 4 of 5\n\nSource: https://www.trendmicro.com/en_us/research/21/d/could-the-microsoft-exchange-breach-be-stopped.html\r\nhttps://www.trendmicro.com/en_us/research/21/d/could-the-microsoft-exchange-breach-be-stopped.html\r\nPage 5 of 5\n\nwas exploited in-the-wild, further by creating before Microsoft patchesopen on a new addressed the tab for out-of-support issue publicly. versions Microsoft of Exchange. has since taken Overall, things a step Microsoft released\npatches for 89 unique CVEs in March-14 of which were listed as Critical and 75 listed as Important in severity.\n  Page 3 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/d/could-the-microsoft-exchange-breach-be-stopped.html"
	],
	"report_names": [
		"could-the-microsoft-exchange-breach-be-stopped.html"
	],
	"threat_actors": [
		{
			"id": "7c969685-459b-4c93-a788-74108eab6f47",
			"created_at": "2023-01-06T13:46:39.189751Z",
			"updated_at": "2026-04-10T02:00:03.241102Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"Red Dev 13",
				"Silk Typhoon",
				"MURKY PANDA",
				"ATK233",
				"G0125",
				"Operation Exchange Marauder"
			],
			"source_name": "MISPGALAXY:HAFNIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2704d770-43b4-4bc4-8a5a-05df87416848",
			"created_at": "2022-10-25T15:50:23.306305Z",
			"updated_at": "2026-04-10T02:00:05.296581Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"HAFNIUM",
				"Operation Exchange Marauder",
				"Silk Typhoon"
			],
			"source_name": "MITRE:HAFNIUM",
			"tools": [
				"Tarrask",
				"ASPXSpy",
				"Impacket",
				"PsExec",
				"China Chopper"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "529c1ae9-4579-4245-86a6-20f4563a695d",
			"created_at": "2022-10-25T16:07:23.702006Z",
			"updated_at": "2026-04-10T02:00:04.71708Z",
			"deleted_at": null,
			"main_name": "Hafnium",
			"aliases": [
				"G0125",
				"Murky Panda",
				"Red Dev 13",
				"Silk Typhoon"
			],
			"source_name": "ETDA:Hafnium",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434639,
	"ts_updated_at": 1775792148,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ff0c64bc5af60cf58e220e97964af1fc81cf77c5.pdf",
		"text": "https://archive.orkl.eu/ff0c64bc5af60cf58e220e97964af1fc81cf77c5.txt",
		"img": "https://archive.orkl.eu/ff0c64bc5af60cf58e220e97964af1fc81cf77c5.jpg"
	}
}