Skip to content

Cyber Incident Response Manager, Mark Cunningham-Dickie, discusses the recent reports of exploited vulnerabilities affecting Microsoft.

There are some actively exploited vulnerabilities which are affecting Microsoft on-premise Exchange (email) servers.  The exploits are sufficiently serious that Microsoft have released patches outwith their normal schedule to mitigate the vulnerability.

Late (UK time) on the 2nd March 2021, Microsoft released a patch to address four previously undisclosed vulnerabilities (zero-day vulnerability) that had been detected being actively exploited (zero-day exploit). 

Microsoft usually release patches and updates on the second Tuesday of every month, dubbed “patch Tuesday”, so this out-of-band release is notable, especially given it couldn’t wait a week and that these vulnerabilities are being actively exploited.

The vulnerabilities and exploits pertain to several versions of on-premise Microsoft Exchange servers.  While Office 365 Exchange is not vulnerable, organisations with hybrid on-premise or in-cloud setups are. 

The same group responsible for the exploit have been identified interacting with victim Office 365 tenants in order to identify information about the target’s environment.  Though, these attempts are not believed to have been successful in compromising the tenancies and may be unrelated to these exploits.

On Tuesday, Microsoft said in a blog:

“We are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem.”

The threat actor in this case has been identified as HAFNIUM, a Chinese state sponsored hacker collective that typically targets U.S. institutions such as government organisations, NGOs research institutions, law firms, educational establishments, defence contractors and public policy think tanks.

Although this has been their main focus in the past, other nations are not immune, and the group has been linked with attacks against infectious disease research establishments.

It’s not unimaginable therefore that desirable targets within Scotland could include organisations in the public sector, oil and gas, law firms, defence firms, critical national infrastructure as well as educational and research institutions.

In the technical post (below) I have provided details regarding remediation, indicators of compromise, links to further information and resources to help SMEs and third sector organisations combat this theat.

Even if your organisation does not work in any of the above sectors it is very highly advisable to apply the patches. 

You may be targeted in order to compromise clients and suppliers within your supply chain.  Once these things are released, there is often a very rapid take-up of the exploit by criminal enterprises and code to achieve the exploits is already circulating on the internet. 

My advice: patch now.

If you are worried your organisation may have fallen victim to an attack, you can contact the SBRC cyber incident response helpline for free on: 01786 447 441

Update (04/03/21):

Initial indications were that this was a targeted and limited attack.  However, that doesn’t appear to be the case.  Since the release of the Indicators of Compromise (IoC’s) many security research firms have been analysing their client’s environments and have identified it as being far more widespread than expected.  While the bulk of the targets are in the US, increasing numbers are being identified in EMEA with targets including governments, law firms, medical research facilities and some private firms.

As with any patchable vulnerability and active exploit the advice remains, patch your systems and, if you have the capability, configure monitoring in your environments to detect and alert based on the IoC’s.

Technical update for IT departments and System Administrators

Threat Actor

The exploits have been attributed to Chinese state sponsored hacking group HAFNIUM.


There are four exploits associated with the following four vulnerabilities:

  • CVE-2021-26855: Server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
  • CVE-2021-26857: Insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
  • CVE-2021-26858: Post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
  • CVE-2021-27065: Post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

Attack Details

After exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise.


CVE-2021-26855 exploitation can be detected via the following Exchange HttpProxy logs:

  • These logs are located in the following directory: %PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\HttpProxy
  • Exploitation can be identified by searching for log entries where the AuthenticatedUser is empty and the AnchorMailbox contains the pattern of ServerInfo~*/*

Here is an example PowerShell command to find these log entries:

Import-Csv -Path (Get-ChildItem -Recurse -Path “$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy” -Filter ‘*.log’).FullName | Where-Object {  $_.AuthenticatedUser -eq ” -and $_.AnchorMailbox -like ‘ServerInfo~*/*’ } | select DateTime, AnchorMailbox

If activity is detected, the logs specific to the application specified in the AnchorMailbox path can be used to help determine what actions were taken.

These logs are located in the %PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging directory.

CVE-2021-26858 exploitation can be detected via the Exchange log files:

  • C:\Program Files\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog
  • Files should only be downloaded to the %PROGRAMFILES%\Microsoft\Exchange Server\V15\ClientAccess\OAB\Temp directory

In case of exploitation, files are downloaded to other directories (UNC or local paths)

Windows command to search for potential exploitation:

findstr /snip /c:”Download failed and temporary file” “%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog\*.log”

CVE-2021-26857 exploitation can be detected via the Windows Application event logs

  • Exploitation of this deserialization bug will create Application events with the following properties:

Source: MSExchange Unified Messaging

EntryType: Error

Event Message Contains: System.InvalidCastException

Following is PowerShell command to query the Application Event Log for these log entries:

Get-EventLog -LogName Application -Source “MSExchange Unified Messaging” -EntryType Error | Where-Object { $_.Message -like “*System.InvalidCastException*” }

CVE-2021-27065 exploitation can be detected via the following Exchange log files:

  • C:\Program Files\Microsoft\Exchange Server\V15\Logging\ECP\Server

All Set-<AppName>VirtualDirectory properties should never contain script. InternalUrl and ExternalUrl should only be valid Uris.

Following is a PowerShell command to search for potential exploitation:

Select-String -Path “$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\ECP\Server\*.log” -Pattern ‘Set-.+VirtualDirectory’


Web shell hashes:









Web shells have been observed in the following paths:



In Microsoft Exchange Server installation paths such as:

%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\


Detected web shells had the following file names:















Check for suspicious .zip, .rar, and .7z files in C:\ProgramData\, which may indicate possible data exfiltration.

Customers should monitor these paths for LSASS dumps:



Additional resources for detection of compromise using various different SOC tools can be found at:


Microsoft have released out-of-band patches to counter this.

The Microsoft Exchange team have published a blog post on the new security patches as well as providing a scripts to assist with answering some key questions around the deployment of the patches.

Patches are available for the different versions of exchange:

Sources & Further Information: