Estimated 30,000 U.S. Organizations and Businesses Hacked Through Microsoft Exchange Server “Zero-Day” Vulnerabilities


By: John Ghose

State-sponsored hackers have accessed the Microsoft email environments of an estimated 30,000 U.S. organizations – including many small and medium-sized companies, universities, and government agencies.  This hack is nearly twice the size of the recent SolarWinds hack, and immediate action is needed to determine if your organization has been compromised. Below we explain how to assess whether your organization has been affected, and what to do if your data has been compromised.    

On Wednesday, March 3, 2021, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to businesses and organizations running Microsoft Exchange on-premises products. The emergency directive was prompted by a blog post written by Microsoft a day earlier that described successful efforts by a Chinese state-sponsored hacking group to exploit previously unknown “zero day” vulnerabilities of its MS Exchange product.  Volexity, the security firm that first discovered the zero-day vulnerabilities, said in this article that hackers have been using these vulnerabilities to access victims’ email environments as far back as January 6, 2021.

According to guidance from Microsoft and CISA, if your organization uses MS Exchange on-premises (not cloud) servers, you should take the following steps immediately:

  • Run the free script and deploy security updates provided by Microsoft to assess your exposure and patch your system;
  • If these initial assessments reveal indicators of compromise, your organization should activate its incident response plan and contact your cyber insurance carrier, if you have one, which can assist you with retaining a law firm and forensics vendor for guidance and advice.
  • Finally, your organization should back-up network data immediatelyAs reported by Brian Krebs, the security community fears that hackers could later exploit the web shell “back doors” installed as part of this hack by conducting a mass ransomware attack campaign to disrupt the American economy.  Backing-up data mitigates this ransomware risk.

If you need help with any of these steps, FMG’s Data Protection, Privacy, and Technology practice section is available and already advising several clients who have been affected by this breach.  In addition, we are partnering with Tracepoint, a leading cyber incident response firm, to provide clients with a zero-cost initial consultation to help them determine what actions are needed because of this hack.  Please contact co-chairs David Cole and John Ghose for further information.