Risk Advisory: Microsoft Exchange 'Hafnium'

Wednesday, 10 March, 2021

Microsoft Exchange

Cydea’s risk advisories are intended for senior management to aid their understanding of current events and the cyber risk posed to their organisations.

If your organisation uses Exchange (specifically on-premise rather than Office 365) then please read on as this advisory directly affects your organisation and action is required by your IT team.

What has happened?

State-sponsored actors have discovered flaws in Microsoft’s Exchange software that is used by many organisations for email, calendar and address books and used these to breach organisations. Microsoft has dubbed the attackers ‘Hafnium’.

Microsoft has released a patch to fix the issues (out-of-band of usual patch cycles), however not before the attackers appear to have gotten wind of the fix and significantly accelerated their malicious activity: over 30,000 organisations in the United States have been affected, and the number is believed to be more than 100,000 worldwide.

Hafnium appears to primarily be targeting organisations in the United States, including infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks, and NGOs.

What is the risk?

Once the Exchange server is compromised the attackers are in a position to steal data from company email systems and have used their access to install ‘backdoor’ remote access.

The actors appear to be motivated by gathering data for espionage purposes. These covert intentions limit the consequences of this risk, though this risk is evolving as cybercriminals investigate the use of the vulnerabilities (see below).


  • State-sponsored

Risk events:

  • System Intrusion (Software exploit)
  • Information Breach (Unauthorised access to systems; Unauthorised access to information)


  • Financial (Unplanned response costs)

How may it evolve?

Cyber-criminals regularly review software updates to identify techniques that they may use to target organisations that have not patched. Intelligence suggests that criminals are reverse-engineering the exploit and may use it to launch ransomware attacks.

The same vulnerabilities may therefore start to manifest as a different risk to your organisation that has greater consequences.


  • Criminal

Risk events:

  • System Intrusion (Software exploit)
  • Malware (Ransomware)
  • Information Breach (Unauthorised access to information)


  • Operations (Business disruption)
  • Compliance (Regulatory fines)
  • Financial (Unplanned response costs)
  • Strategic (Embarrassing reporting)

What action is required?

It is essential that you immediately apply the patch from Microsoft to prevent these vulnerabilities from being exploited in the future.

The patch does not resolve the issue if you have already been compromised and therefore it is also advisable that your IT team use the ‘indicators of compromise’ to investigate. If they identify any unusual activity further, specialist incident response services may be required.

The actions below are recommended to be carried out by IT and Security teams for organisations running Exchange 2003, 2007, 2010, 2013, 2016 and 2019. (Exchange Online is not affected.)

  1. Install the software patch released by Microsoft that must be installed as a privileged user (older versions need to follow a different upgrade path)
  2. IT teams should investigate if your organisation has been compromised using these ‘indicators of compromise’ and scripts
  3. If evidence of compromise is found, you should extend your investigation and consider the need for external cyber incident response support.

Further technical information is available from the Microsoft Security Response Centre here and here.

Cydea uses the Open Information Security Risk Universe (OISRU) as a framework and taxonomy for describing information security risks independently of models or methods of analysing risks. Find out more about our contribution to the project on our cydea.tools site.