top of page

Exchange server exploit detected

Microsoft has issued a notice about a security flaw in its Exchange email server. The exploit is called Hafnium and is apparently sponsored by China. Microsoft warns that Hafnium targets, "infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs."


The exploit works by gaining access to the Exchange server using stolen passwords and then using a web shell to control the server remotely. The exploit is operated from virtual private servers based in the United States. The exploit can make use of PowerShell to export data from an Outlook profile.


Security updates which address the Hafnium vulnerability are available here. Microsoft has also posted a script to Github which can be used to scan log files for signs that an Exchange server has been compromised. See: https://github.com/microsoft/CSS-Exchange/tree/main/Security .


This simple findstr Windows command is recommended to check for signs that Hafnium exploit has infected a server:


findstr /snip /c:"Download failed and temporary file" "%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog\*.log"


Microsoft also helps businesses and law firms search for signs of the exploit by posting the hash values of the Hafnium web shells that have been found, and the names of the .aspx files used by the web shells. These active server page extended files are used by servers to communicate with a web browser.

Sean O'Shea has more than 20 years of experience in the litigation support field with major law firms in New York and San Francisco.   He is an ACEDS Certified eDiscovery Specialist and a Relativity Certified Administrator.

The views expressed in this blog are those of the owner and do not reflect the views or opinions of the owner’s employer.

If you have a question or comment about this blog, please make a submission using the form to the right. 

Your details were sent successfully!

© 2015 by Sean O'Shea . Proudly created with Wix.com

bottom of page