Anatomy of a Breach

Anatomy of a Breach: Microsoft Exchange and Hafnium — 250,000 Servers Compromised in a Global Mass Exploitation Event

> series: anatomy_of_a_breach —— part: 147 —— target: microsoft_exchange_servers —— servers: 250,000 —— attacker: hafnium_china —— exploits: proxylogon<span class="cursor-blink">_</span>_

Hedgehog Security 31 March 2021 14 min read
microsoft-exchange hafnium proxylogon china zero-day mass-exploitation web-shell series
Breach #147

250,000 Exchange servers. Four zero-days. Every unpatched server on the internet compromised.

On 2 March 2021, Microsoft disclosed four zero-day vulnerabilities in on-premises Microsoft Exchange Server — CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 — collectively known as ProxyLogon. The vulnerabilities, which had been exploited by Hafnium (a Chinese state-sponsored group) since at least January 2021, allowed unauthenticated remote code execution against any internet-facing Exchange server. Microsoft released emergency out-of-band patches, but by that point, an estimated 250,000 servers globally had already been compromised.

The situation deteriorated rapidly after the patches were released: multiple additional threat groups — including ransomware operators — reverse-engineered the patches to create their own exploits and began mass-scanning and compromising every unpatched Exchange server on the internet. The NCSC issued urgent guidance to UK organisations to patch immediately and check for web shells that indicated prior compromise. The Hafnium/Exchange event was one of the largest mass exploitation events in history — affecting governments, businesses, and organisations of every size in every country.

Mass Exploitation
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Once the patch was released, every criminal reverse-engineered it.

250,000 Servers Compromised
The scale was extraordinary: a quarter of a million Exchange servers compromised globally, including thousands of UK organisations. Any organisation running on-premises Exchange with Outlook Web Access (OWA) exposed to the internet was potentially affected. Our <a href="/vulnerability-scanning">vulnerability scanning</a> identifies internet-facing Exchange servers and their patch status.
Web Shells for Persistent Access
The attackers installed web shells — small scripts that provide persistent remote access — on compromised servers. Even after patching, these web shells remained, giving the attackers continued access. Patching alone was not sufficient; organisations also needed to check for and remove web shells. <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects web shell installation and usage.
Patch-to-Exploit Pipeline
Once Microsoft released the patches, criminal groups reverse-engineered them to identify the vulnerabilities and create exploits — attacking in the window between patch release and patch application. <a href="/cyber-essentials">Cyber Essentials Danzell's</a> 14-day patching mandate is critical for exactly this scenario.
Email Server = Crown Jewels
Exchange servers hold an organisation's entire email archive — years of internal communications, client data, strategic plans, and confidential information. Compromising Exchange provides access to the most sensitive corporate data. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> assesses email server security.
UK Impact

Thousands of UK organisations affected. The NCSC issued emergency guidance.

The NCSC issued urgent guidance to all UK organisations running on-premises Exchange, and multiple UK organisations were confirmed as compromised. For any UK organisation still running on-premises Exchange servers, the Hafnium event was a watershed: the risk of maintaining internet-facing Exchange was demonstrated to be existential. Many organisations accelerated their migration to Exchange Online (Microsoft 365) in the aftermath.

Vulnerability scanning identifies unpatched Exchange servers. Infrastructure testing checks for web shells and indicators of compromise. Cyber Essentials mandates 14-day patching. SOC in a Box monitors for Exchange exploitation attempts and web shell activity. And UK Cyber Defence provides the forensic investigation capability to determine whether your Exchange servers were compromised during the Hafnium campaign.

Exchange Server Security

250,000 Exchange servers compromised globally. Was yours one of them?

<a href="/vulnerability-scanning">Vulnerability scanning</a> identifies unpatched Exchange. <a href="/penetration-testing/infrastructure">Infrastructure testing</a> detects web shells. <a href="/cyber-essentials">Cyber Essentials</a> mandates 14-day patching.

Commission an Infrastructure Assessment Next: Facebook 533M Leak
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 July 2025

Anatomy of a Breach: Microsoft SharePoint — Zero-Day Exploited by Three Chinese Groups, 400+ Organisations Compromised Including NNSA

Breach #199. In July 2025, it was revealed that a zero-day vulnerability in Microsoft SharePoint had been exploited by three Chinese state-linked hacking groups to compromise over 400 organisations worldwide — including the US National Nuclear Security Administration (NNSA), the federal agency responsible for maintaining the US nuclear weapons stockpile. The vulnerability enabled remote code execution against self-hosted SharePoint servers. Thousands of vulnerable servers remained online even after the vulnerability was disclosed. The breach demonstrated the extraordinary risk of centralising sensitive data in a single collaboration platform — especially when that platform is targeted by nation-state adversaries.

microsoft-sharepoint zero-day
14 min read
Anatomy of a Breach 31 July 2023

Anatomy of a Breach: Barracuda ESG — The Security Appliance So Compromised That 'Replace, Don't Patch' Was the Only Answer

Breach #175. In May 2023, Barracuda Networks disclosed that a zero-day vulnerability (CVE-2023-2868) in its Email Security Gateway (ESG) appliance had been exploited since at least October 2022 — seven months of undetected access. The attack, attributed to a Chinese espionage group (UNC4841), deployed persistent backdoors on the appliances. On 6 June, Barracuda took the extraordinary step of advising all customers with compromised ESG appliances to physically replace the hardware — stating that patching was insufficient because the attackers' persistence mechanisms could survive software updates. It was the first time a major vendor had told customers to throw away their security appliances.

barracuda esg
13 min read
Anatomy of a Breach 31 May 2023

Anatomy of a Breach: MOVEit Transfer — Cl0p's Mass Exploitation Campaign That Hit 2,500 Organisations

Breach #173. In late May 2023, the Cl0p ransomware group began mass-exploiting a zero-day SQL injection vulnerability (CVE-2023-34362) in MOVEit Transfer — a managed file transfer (MFT) application used by thousands of organisations to securely exchange sensitive data. Cl0p had discovered and exploited the vulnerability before it was publicly known, deploying web shells on vulnerable MOVEit servers and exfiltrating data at industrial scale. The campaign ultimately affected over 2,500 organisations and exposed the personal data of more than 60 million individuals worldwide — making it the most impactful supply chain breach since SolarWinds.

moveit clop
15 min read
All Posts Get in Touch