Mass Exploitation of Microsoft Exchange Flaws Led to Global Email Server Compromises
Attackers exploited multiple zero-day and later related vulnerabilities in on-premises Microsoft Exchange Server to compromise email systems at tens of thousands of organizations worldwide, including government agencies, banks, universities, defense contractors, law firms, healthcare entities, local governments, and small businesses. Microsoft initially attributed the early activity to the China-linked group Hafnium, while CISA, the FBI, and the White House warned that exploitation quickly spread to many additional state-backed and criminal actors after patches were released. The intrusions affected Exchange 2010, 2013, 2016, and 2019 deployments rather than Exchange Online or Microsoft 365, and enabled attackers to steal emails and address books, dump credentials, install web shells such as China Chopper, move laterally, and in some cases deploy follow-on malware including ransomware.
U.S. and allied governments later formally attributed the campaign to actors affiliated with China’s Ministry of State Security, as CISA said organizations should investigate for compromise dating back to at least January 2021 and assume identity compromise where exploitation was found. Security researchers and incident responders reported thousands of backdoored servers across more than 100 countries, with many systems still unpatched well after disclosure, and warned that patching alone did not remove implanted persistence. Microsoft and CISA released emergency updates, detection and remediation guidance, and tools including Test-ProxyLogon.ps1 and EOMT.ps1, while later research showed Exchange attack chains such as ProxyShell could still be adapted for remote code execution and could evade weak perimeter defenses, reinforcing that rapid patching and thorough incident response were essential.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
15 events from the most recent confirmed update back to the earliest known activity.
Microsoft patches additional Exchange flaws later tied to ProxyShell
MDSec said Microsoft patched multiple Exchange Server vulnerabilities in April and May 2021 that became central to ProxyShell exploitation research. These fixes addressed attack paths that could be combined for remote code execution without dropping a web shell.
MDSec publishes ProxyShell and NSA Meeting exploit analysis
On 2021-09-15, MDSec published technical research showing how ProxyShell and the so-called NSA Meeting flaw could be combined to achieve Exchange remote code execution without dropping a web shell. The post also described WAF evasion techniques and argued patching was the only reliable mitigation.
DOJ announces charges against four Chinese nationals
On 2021-07-19, the Justice Department announced charges against four Chinese nationals accused of working with the MSS in a long-running hacking campaign. The announcement accompanied the coordinated public attribution of the Exchange activity to China.
U.S. and allies publicly blame China for Exchange exploitation
On 2021-07-19, the United States and multiple allies formally attributed the mass exploitation of Microsoft Exchange vulnerabilities to actors affiliated with China's Ministry of State Security. CISA updated its advisory the same day to reflect the attribution.
DOJ launches court-authorized cleanup of Exchange web shells
On 2021-04-12, the U.S. Justice Department announced a court-authorized effort to disrupt exploitation of Microsoft Exchange Server vulnerabilities. The action targeted malicious web shells left on compromised servers.
Dutch researchers find 46,000 Exchange servers still unpatched
BleepingComputer reported that after scanning 250,000 Exchange servers worldwide, the Dutch Institute for Vulnerability Disclosure found 46,000 still unpatched against the heavily exploited flaws. The finding underscored the large remaining attack surface after disclosure.
ESET reports many additional APT groups exploiting ProxyLogon
By 2021-03-10, ESET reported that at least 10 APT groups and several unclassified clusters were exploiting the Exchange ProxyLogon vulnerabilities beyond Hafnium. It said web shells had been deployed on more than 5,000 unique servers across over 115 countries based on incomplete telemetry.
CISA and FBI issue joint advisory on Exchange compromise
On 2021-03-10, CISA and the FBI released a Joint Cybersecurity Advisory on the Microsoft Exchange Server compromise. The agencies warned the flaws could enable network compromise, data theft, ransomware, or destructive attacks and mapped observed activity to MITRE ATT&CK.
European Banking Authority discloses Exchange compromise
The European Banking Authority was reported as a victim of the Exchange hack, illustrating that the victim set extended beyond the United States. Reporting also said the scale of compromise was larger than initially estimated.
Attackers shift to mass scanning and backdooring Exchange servers
Krebs reported that in late February 2021, attackers moved from targeted intrusions to broad mass-scanning and backdooring of vulnerable Microsoft Exchange servers. This marked a major escalation in the scope of exploitation.
Researchers identify and report Exchange zero-days and exploitation
Krebs reported that researchers from DEVCOR, Volexity, and Dubex identified or reported aspects of the Exchange flaws and active exploitation between early January and early February 2021. These findings showed Microsoft and security firms were aware of the issue weeks before emergency patches were released.
Volexity observes suspicious Exchange data theft activity
Microsoft said Volexity helped detect the intrusions after observing unusually large data transfers tied to Exchange compromises in late January. This observation became an early indicator of the campaign exploiting previously unknown Exchange flaws.
Microsoft publicly attributes initial exploitation to Hafnium
Microsoft said the initial exploitation was conducted by Hafnium, a suspected China-linked state-sponsored espionage group targeting U.S.-based organizations. The attribution framed the campaign as a nation-state intrusion focused on email theft and persistent access.
Microsoft issues defense-in-depth patch for Exchange 2010
Krebs reported that when Microsoft patched the four zero-day flaws, it also issued a defense-in-depth patch for unsupported Exchange Server 2010. This extended mitigation guidance beyond the fully supported Exchange versions.
Microsoft discloses Hafnium Exchange zero-days and releases patches
On 2021-03-02, Microsoft disclosed that Hafnium was exploiting four previously undisclosed vulnerabilities in on-premises Exchange Server and released out-of-band security updates. The company said the flaws could be chained to steal emails and deploy malware, and warned other actors would likely rapidly exploit unpatched systems.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
28 references tracked. Mallory keeps watching after this page renders.
Threat description search results - Microsoft Security Intelligence
microsoft.com
Open sourceMost online Exchange Servers vulnerable to ProxyLogon still not remediated | brief | SC Media
scworld.com
Open sourceNSA Meeting Proposal for ProxyShell - MDSec
mdsec.co.uk
Open sourceMicrosoft Exchange hack caused by China, US and allies say | AP News
apnews.com
Open sourceOppdatér Microsoft Exchange snarest - Nasjonal sikkerhetsmyndighet
nsm.no
Open sourceMicrosoft: China-based hackers found bug to target US firms | AP News
apnews.com
Open sourceMicrosoft fixes four zero-day flaws in Exchange Server exploited by China's ‘Hafnium’ spies to steal victims' data
theregister.com
Open sourceMicrosoft says China-backed hackers are exploiting Exchange zero-days | TechCrunch
techcrunch.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ProxyShell Exploitation Chain Enabled RCE on Microsoft Exchange Servers
Researchers detailed **ProxyShell**, a chain of Microsoft Exchange vulnerabilities that can be combined to bypass authentication, escalate privileges, and achieve remote code execution on exposed Exchange servers. Orange Tsai described the attack surface and showed how flaws including `CVE-2021-34473`, `CVE-2021-34523`, and `CVE-2021-31207` could be chained to reach backend Exchange services and execute attacker-controlled code without valid credentials. Mandiant later reported real-world exploitation of ProxyShell against internet-facing Exchange environments, showing that attackers used the chain to gain shells on compromised servers and establish persistent access. The reporting underscores that unpatched on-premises Exchange systems remained a high-value target because successful exploitation could hand attackers direct control of email infrastructure, enable follow-on intrusion activity, and expose sensitive enterprise communications.
May 25, 2026
China-Aligned Shadow-Earth-053 Breached Exchange Servers for Long-Term Espionage
Trend Micro disclosed that the China-aligned cluster **SHADOW-EARTH-053** compromised more than a dozen organizations in at least eight countries by exploiting vulnerable Microsoft Exchange and IIS servers, including the `ProxyLogon` chain, then deploying **GODZILLA** web shells and the **ShadowPad** backdoor to maintain access. Victims included government agencies, defense contractors, technology firms, transportation organizations, and at least one target in Poland, with activity observed from December 2024 through April 2026. Researchers said the intrusions resemble broader Chinese state-linked operations such as Salt Typhoon and Volt Typhoon and may support long-term espionage, prepositioning, and potential future disruption. Post-compromise activity included DLL sideloading with a renamed Toshiba Bluetooth Stack executable, registry-resident shellcode execution via `EnumDesktopsA` callback injection, scheduled-task persistence, mailbox collection from Exchange, credential theft, and lateral movement using tools such as **IOX**, **GOST**, **Wstunnel**, **Sharp-SMBExec**, **Mimikatz**, and **Evil-CreateDump**. Trend Micro also identified overlap with a related cluster, **SHADOW-EARTH-054**, including shared tool hashes, reused vulnerabilities, and compromises at some of the same organizations, although the company assessed the relationship as overlapping exploitation rather than clearly coordinated operations. Defenders were urged to patch Exchange and IIS systems quickly and review IIS worker process activity, web-shell indicators, and other signs of stealthy post-exploitation.
May 15, 2026
Microsoft Exchange Server Flaws Enabled Spoofing, Security Bypass, and SYSTEM-Level Access
Microsoft disclosed multiple vulnerabilities in on-premises **Exchange Server**, including **CVE-2021-31207** (security feature bypass), **CVE-2021-31209** (spoofing), and **CVE-2022-41040** (elevation of privilege). The issues affected Exchange deployments rather than **Exchange Online**, extending a pattern of high-impact weaknesses in the mail platform that could undermine trust boundaries, enable impersonation, and weaken built-in protections. Among them, **CVE-2022-41040** was rated **Critical** with a **CVSS 3.1 score of 8.8**, and Microsoft said exploitation had been detected in the wild before public disclosure. The flaw required an authenticated attacker with low privileges and no user interaction, and successful exploitation could allow the attacker to run **PowerShell** as **`SYSTEM`**. Microsoft later released security updates and directed Exchange Server customers to apply mitigations and patches for the reported zero-day issues.
May 25, 2026