Siem bulletin: Critical zero-day Microsoft Exchange vulnerability observed in the wild

| By:
Bryson Medlock

Microsoft released a critical patch today that addresses multiple 0-day vulnerabilities for Microsoft Exchange.

If you’re hosting an Exchange server, we recommend applying patches immediately for CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.


During an investigation of suspicious activity, Volexity discovered that an adversary, identified as HAFNIUM, used a 0-day server-side request forgery (SSRF) vulnerability in Microsoft Exchange (CVE-2021-26855) to steal contents from several users’ mailboxes.

Exploitation only requires an attacker to know where an Exchange server is running and an email address to extract. This is an unauthenticated vulnerability that doesn’t require any special information about your infrastructure.

It was also determined that HAFNIUM was able to chain the SSRF vulnerability with a remote code execution (RCE) vulnerability to write ASPX web shells to disk and then used the web shells to steal credentials and copies of the Active Directory database, as well as add new users.

This vulnerability only affects on-premises Exchange servers.

According to our latest intelligence, HAFNIUM is a new Chinese state-sponsored threat actor that has been primarily targeting US-based targets across a wide range of industries.

Our SOC has also been working with the ConnectWise Incident Response team to hunt through our platforms and identify any customers who may have been compromised by this attack, and we’ve already discovered at least one of the web shells mentioned by Microsoft.


The SiemLabs team has deployed two signatures for all customers based on the data released by Microsoft and Volexity:

alert http any any -> $HOME_NET any (msg:"[Perch Security] Microsoft Exchange Authentication Bypass (CVE-2021-26855)"; http.method; content:“POST”; http.uri; pcre:"/\/owa\/auth\/Current\/themes\/resources\/[a-zA-Z0-9_-]+\.(css|gif|eot|ttf)/U”; tag:session,5,packets; reference:url,; classtype:web-application-attack; sid:900269; rev:1; metadata: created_at 2021_03_02, updated_at 2021_03_02, cve CVE_2021_26855;)
alert http any any -> $HOME_NET any (msg:"[Perch Security] Microsoft Exchange Remote Code Execution (CVE-2021-26855)"; http.method; content:“POST”; http.uri; pcre:"/\/ecp\/(default\.flt|main.css|[a-z]\.js)/U”; tag:session,5,packets; reference:url,; classtype:web-application-attack; sid:900270; rev:1; metadata: created_at 2021_03_02, updated_at 2021_03_02, cve CVE_2021_26855;)