Blog
← Back to Blog
March 10, 2021 cybersecurity

Microsoft Exchange Hack: 30,000 Organizations Compromised Overnight

Email server security breach

Microsoft disclosed four zero-day vulnerabilities in Exchange Server that are being actively exploited by a Chinese state-sponsored group called Hafnium. An estimated 30,000 US organizations have been compromised, including small businesses, local governments, and healthcare organizations.

If your practice runs an on-premise Microsoft Exchange server for email, you need to act immediately.

What Happened

The vulnerabilities allow attackers to access Exchange servers from the internet without authentication, read emails, install web shells (persistent backdoors), and move laterally through the network. The attack chain is fully automated, meaning compromised servers can be exploited in minutes.

Microsoft released emergency patches on March 2nd. But the attackers accelerated their scanning and exploitation immediately after the patches were announced, racing to compromise as many servers as possible before organizations could patch.

Are You Affected?

You ARE affected if:

  • You run Microsoft Exchange Server on-premise (Exchange 2013, 2016, or 2019)
  • Your Exchange server is accessible from the internet (Outlook Web Access, ActiveSync)

You are NOT affected if:

  • You use Microsoft 365 / Exchange Online (cloud-hosted email)
  • You use Google Workspace
  • You don't use Exchange at all

What to Do Right Now

  1. Patch immediately. Apply the emergency Exchange updates. This is the highest priority.
  2. Check for compromise. Microsoft released a script to detect indicators of compromise. Run it even if you've already patched, as the compromise may have occurred before patching.
  3. Look for web shells. Check your Exchange server for unexpected .aspx files in web directories. These are the backdoors attackers install.
  4. If compromised, assume full network compromise. The web shells give attackers persistent access. Even after patching, the backdoors remain. Professional incident response may be needed.

The Bigger Lesson: On-Premise Email Is a Liability

This is the strongest argument yet for migrating to cloud-hosted email. Microsoft 365 was not affected by these vulnerabilities. Cloud-hosted email is patched and secured by Microsoft's team, not by your IT provider or (worse) by nobody.

On-premise Exchange servers require constant patching, monitoring, and security management. Most small organizations don't have the expertise or resources to do this effectively. The Exchange hack proves the risk.

If you're still running on-premise Exchange after this incident, seriously consider migrating to Microsoft 365. The monthly cost is modest ($6-22/user/month), and the security improvement is substantial.

30,000 organizations compromised through their email servers. Don't be number 30,001.