Microsoft Exchange email attacks may have been more damaging than first thought

Microsoft logo
(Image credit: Shutterstock)

The cyberattack against Microsoft Exchange email servers may have been wider-ranging than previously thought according to new reports that claim tens of thousands of businesses could already have been affected.

Security experts have estimated that over 30,000 US governmental and commercial organizations may have had emails hacked following the attack on servers across the country.

Microsoft has issued an emergency patch for the issue, but many affected customers have yet to install and protect themselves from further damage - and there are doubts whether the patch itself is secure enough.


According to KrebsOnSecurity, the attack was carried out by a Chinese hacking group known as Hafnium, which targeted Microsoft Exchange email servers for the company's Outlook service.

The White House has taken an active role in responding to the attack, and over the weekend urged admininstrators and network operators across the US to ensure they are protected.

This followed concerns that Microsoft's fix had not stopped the attack, which the US government believes has not addressed a backdoor access issue that could allow hackers access to compromised servers, raising the risk of further future attacks.

"This is an active threat still developing and we urge network operators to take it very seriously,” Reuters quotes a White House official as saying, noting that a task force was being formed to address the hack.

“We can’t stress enough that patching and mitigation is not remediation if the servers have already been compromised, and it is essential that any organization with a vulnerable server take measures to determine if they were already targeted,” the White House official added.

KrebsOnSecurity belives the attack has been ongoing since January 6, with Microsoft only releasing its patch on March 2, nearly two months later, meaning the scale of the threat had grown exponentially.

Microsoft says it is working closely with the US government and security companies to ensure its guidance is up to date and offering the best advice.

“The best protection is to apply updates as soon as possible across all impacted systems,” a Microsoft spokesperson told KrebsOnSecurity. “We continue to help customers by providing additional investigation and mitigation guidance. Impacted customers should contact our support teams for additional help and resources.”

“These vulnerabilities are significant and need to be taken seriously," noted Mat Gangwer, senior director, Sophos Managed Threat Response. "They allow attackers to remotely execute commands on these servers without the need for credentials, and any threat actor could potentially abuse them. The broad installation of Exchange and its exposure to the internet mean that many organisations running an on-premises Exchange server could be at risk."

“Organisations running an on-premises Exchange server should assume they are impacted, and first and foremost patch their Exchange devices and confirm the updates have been successful. However, simply applying patches won’t remove artifacts from your network that pre-date the patch. Organisations need human eyes and intelligence to determine whether they have been impacted and to what extent, and, most importantly to neutralise the attack and remove the adversary from their networks.

Via KrebsOnSecurity / Reuters

Mike Moore
Deputy Editor, TechRadar Pro

Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and fellow Future title ITProPortal, and when he's not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.