Microsoft Exchange HAFNIUM Attack: Four Zero-Days That Compromised 30,000 Organizations

In early March 2021, Microsoft disclosed that a Chinese state-sponsored threat actor known as HAFNIUM had been exploiting four previously unknown vulnerabilities in Microsoft Exchange Server. The scope was staggering: an estimated 30,000 organizations in the United States alone were compromised, with the global total reaching into the hundreds of thousands.

This was not a targeted espionage operation against a handful of high-value targets. It was mass exploitation on an industrial scale.

The Four Zero-Days

The vulnerabilities, collectively referred to as ProxyLogon, affected on-premises Exchange Server installations (2013, 2016, and 2019). Exchange Online (Microsoft 365) was not affected.

• CVE-2021-26855 — A server-side request forgery (SSRF) vulnerability that allowed an attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
• CVE-2021-26857 — An insecure deserialization vulnerability in the Unified Messaging service, allowing code execution as SYSTEM.
• CVE-2021-26858 — A post-authentication arbitrary file write vulnerability.
• CVE-2021-27065 — Another post-authentication arbitrary file write vulnerability.

Chained together, these four vulnerabilities allowed an unauthenticated attacker to gain full control of any internet-facing Exchange Server. The attack chain worked as follows: use CVE-2021-26855 to authenticate, then leverage CVE-2021-26857, -26858, or -27065 to write web shells to the server. Once a web shell was in place, the attacker had persistent remote access, even after patches were applied, unless the web shells were discovered and removed.

The Timeline Problem

The timeline of this attack reveals a tension between responsible disclosure and real-world exploitation:

• January 6, 2021 — Security firm DEVCORE reported the SSRF vulnerability (CVE-2021-26855) to Microsoft.
• January-February 2021 — HAFNIUM conducted targeted exploitation against a small number of entities, primarily US defense contractors, think tanks, and law firms.
• February 26-27, 2021 — Exploitation suddenly accelerated to mass scanning and exploitation of every reachable Exchange Server on the internet. This shift from targeted to mass exploitation suggested HAFNIUM learned that patches were imminent.
• March 2, 2021 — Microsoft released emergency out-of-band patches.
• March 2-5, 2021 — Multiple additional threat groups began exploiting the same vulnerabilities, installing their own web shells on already-compromised servers. Some servers had web shells from multiple distinct groups.

The critical window between February 26 and March 2 saw an explosion of compromises. By the time patches were available, tens of thousands of servers were already backdoored. Patching closed the door for new exploitation but did nothing about the web shells already installed.

Why On-Premises Exchange Was So Vulnerable

This attack hit a particular pain point in enterprise IT: on-premises Exchange Server is extraordinarily common, especially among small and medium businesses, local governments, schools, and organizations that had not yet migrated to cloud email.

Many of these organizations:

• Lacked dedicated security teams to monitor Exchange logs for indicators of compromise.
• Were slow to apply patches, sometimes taking weeks or months.
• Did not have endpoint detection and response (EDR) tools on their mail servers.
• Had Exchange servers directly exposed to the internet on ports 443 (HTTPS) and 80 (HTTP), which was required for Outlook Web Access (OWA) and other services.

The result was a target-rich environment. Shodan scans at the time showed over 400,000 Exchange servers reachable from the internet globally. Each one was a potential target.

The Response

The response was chaotic because of the sheer scale:

• CISA issued Emergency Directive 21-02, requiring all federal agencies to either patch or disconnect Exchange servers immediately.
• Microsoft released a one-click mitigation tool (EOMT) for organizations that could not immediately patch, which applied URL rewrite rules to block exploitation of CVE-2021-26855.
• The FBI obtained a court order to remotely access and remove web shells from hundreds of compromised Exchange servers in the United States — an unprecedented action that raised both praise (for protecting vulnerable organizations) and concerns (about law enforcement accessing private servers without direct owner consent).
• Multiple security firms released free scanning tools to help organizations check for indicators of compromise.

The Second Wave

After the initial HAFNIUM campaign, the exploits became public knowledge. Within days, at least ten additional threat groups were observed exploiting the same vulnerabilities. These included:

• Ransomware groups deploying DearCry ransomware on compromised Exchange servers.
• Cryptomining operations installing miners.
• Other nation-state groups installing their own backdoors alongside or replacing HAFNIUM's.

Some compromised Exchange servers were re-compromised multiple times by different groups. The attack surface was so large and the patch rate so slow that exploitation continued for weeks after patches were available.

Lessons Learned

The Exchange HAFNIUM attack drove home several important lessons:

1. On-premises infrastructure carries patch-management risk. Cloud services like Exchange Online received the fix transparently. On-premises servers required manual patching by each organization. The gap between patch availability and patch application was measured in weeks for many victims.

2. Patching is necessary but not sufficient after active exploitation. Organizations that patched after March 2 but did not check for web shells were still compromised. The CISA guidance explicitly warned that patching alone was not a complete remediation.

3. Internet-facing attack surface must be minimized. Every Exchange server reachable on port 443 was a target. Organizations should use VPNs, reverse proxies with WAF capabilities, or conditional access to limit direct exposure.

4. Mass exploitation can follow targeted campaigns. The shift from targeted HAFNIUM operations to mass exploitation — possibly triggered by awareness that patches were coming — is a pattern that defenders should anticipate.

How Safeguard.sh Helps

Safeguard.sh continuously inventories your software assets and tracks known vulnerabilities across your infrastructure. When critical patches drop — like the Exchange emergency updates — our platform flags affected systems and enforces remediation timelines through policy gates. Beyond patching, Safeguard.sh monitors for indicators of compromise and provides SBOM-level visibility into what is running in your environment, so you can answer the question "are we affected?" in minutes rather than days. For organizations managing on-premises infrastructure alongside cloud services, this visibility is the difference between a controlled response and a crisis.