2021: Microsoft Exchange Zero-Day: 250,000 Email Servers Compromised
On March 2, 2021 — just three months after the SolarWinds supply chain attack was still dominating cybersecurity headlines — Microsoft released emergency security patches for four zero-day vulnerabilities in Exchange Server. The vulnerabilities were already being actively exploited by a Chinese state-sponsored hacking group. The patches were critical. The scale was enormous. And the race between defenders deploying patches and attackers exploiting the window of vulnerability would become one of the most dramatic episodes in cybersecurity history.
The Vulnerabilities
The four vulnerabilities, when chained together, gave attackers a terrifying level of access. The attack chain began with CVE-2021-26855, a server-side request forgery (SSRF) vulnerability that allowed an attacker to send specially crafted HTTP requests to the Exchange server and authenticate as the server itself. This required no credentials — just the ability to reach the server over the internet on port 443.
Once authenticated, the attacker could exploit CVE-2021-26857, a deserialization vulnerability in the Unified Messaging service, to execute arbitrary code on the server with SYSTEM privileges — the highest level of access on a Windows system. Two additional vulnerabilities (CVE-2021-26858 and CVE-2021-27065) allowed writing files to any location on the server, enabling the installation of web shells — persistent backdoors that gave the attackers remote access even after the vulnerabilities were patched.
The combination was devastating. An unauthenticated attacker with nothing more than network access to an Exchange server could gain complete control: read any email, impersonate any user, access any data stored on or accessible from the server, and install persistent backdoors for future access.
The Initial Exploitation
Microsoft attributed the initial exploitation to a group it calls Hafnium, described as a Chinese state-sponsored threat actor. Hafnium had historically targeted organizations in the United States across multiple sectors: infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
The initial Hafnium campaign appeared to be targeted and relatively restrained — focused on specific organizations of intelligence value. But in the days before and immediately after Microsoft released patches on March 2, the exploitation went from targeted to indiscriminate. Someone — whether Hafnium or other groups who obtained the exploit — began mass-scanning the internet for vulnerable Exchange servers and compromising them at industrial scale.
The timing suggested that multiple threat actors had independently discovered or obtained the exploit chain. Cybersecurity firm ESET identified at least ten different advanced persistent threat (APT) groups exploiting the vulnerabilities in the days following the patch release, including groups linked to multiple nation-states.
The Scale
The numbers were staggering. Microsoft estimated that at least 250,000 Exchange servers worldwide were compromised. Some researchers put the number higher. The victims were not primarily large enterprises with sophisticated security teams — many of those had already migrated to cloud-based Microsoft 365, which was not affected.
Instead, the victims were the organizations most vulnerable and least prepared: small businesses, local governments, school districts, community banks, credit unions, small law firms, and nonprofit organizations. These were entities that ran their own Exchange servers because it was what they had always done, often without dedicated IT security staff, often without the resources to patch quickly.
The sheer diversity of victims made coordinated response nearly impossible. While large organizations had security teams that could deploy patches and scan for web shells, small organizations often didn’t know they were running Exchange Server, didn’t understand the patches, or couldn’t apply them without IT support they didn’t have.
The Response
The White House established a unified coordination group — the same mechanism used for the SolarWinds response — reflecting the severity of the incident. CISA issued multiple emergency directives. The FBI obtained a court order authorizing it to remotely access compromised Exchange servers in the United States and remove web shells — a legally and technically unprecedented step that raised questions about government access to private systems, even in service of defense.
Microsoft released a one-click mitigation tool designed to be usable by administrators without deep security expertise. The Cybersecurity and Infrastructure Security Agency (CISA) published detection tools and guidance. The cybersecurity community mobilized to help vulnerable organizations, with some firms offering free scanning and remediation services.
Despite these efforts, the remediation was painfully slow. Weeks after patches were available, tens of thousands of servers remained unpatched. Some organizations didn’t know they were vulnerable. Others lacked the technical capability to apply patches. Still others had been compromised and had web shells installed that would persist even after patching — they needed not just patches but full forensic analysis and remediation.
The Email Data
For compromised organizations, the immediate concern was email data. Exchange Server is an email server — the attackers had access to every email stored on it. For organizations with years of email history on their Exchange servers, the potential data exposure was enormous: client communications, financial records, legal correspondence, employee personal information, strategic planning documents, and intellectual property.
Many compromised organizations had no way of knowing exactly what data had been accessed. The web shells provided persistent access, but access logs could be incomplete or tampered with. Some organizations were forced to notify all clients and contacts that their email communications might have been compromised — a reputational and legal headache on top of the security crisis.
Lessons for Email Security
The Exchange zero-day incident taught several painful lessons. On-premises email servers are high-value targets that require constant security maintenance. Organizations running their own Exchange servers need the capability to deploy emergency patches within hours, not weeks — a capability many small organizations simply don’t have.
The incident accelerated the migration from on-premises Exchange to cloud-based Microsoft 365. Microsoft’s cloud infrastructure was not affected by the vulnerabilities (Microsoft handles patching for cloud-hosted Exchange), and the attack provided a compelling argument for moving email to the cloud: let Microsoft handle the security.
But the broader lesson was about the email server itself as a target. Email servers hold the crown jewels of organizational communication. They are accessible from the internet by design (they have to receive email from the outside world). And they run complex software with large attack surfaces. Securing them requires not just patching but monitoring, access controls, network segmentation, and incident response planning.
The Exchange zero-day was the most significant email server attack in history, and it demonstrated that email infrastructure — the servers, protocols, and software that make email work — remains one of the most critical and most vulnerable components of organizational security.
Infographic
Share this visual summary. Right-click to save.
Related Events
Frequently Asked Questions
What were the Microsoft Exchange zero-day vulnerabilities?
Four zero-day vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) in Microsoft Exchange Server 2013, 2016, and 2019 allowed attackers to authenticate as the Exchange server, execute code as SYSTEM, and write files to any path on the server. When chained together, the vulnerabilities gave attackers complete control over affected email servers.
How many servers were affected by the Exchange hack?
Microsoft estimated that at least 250,000 Exchange servers worldwide were compromised before patches were applied. The victims included small businesses, local governments, school districts, credit unions, and organizations across virtually every sector. The White House described the scope as 'significant' and established a unified coordination group to manage the response.
Who was behind the Microsoft Exchange attack?
Microsoft attributed the attack to a Chinese state-sponsored hacking group it calls Hafnium. The group had historically targeted US-based organizations including infectious disease researchers, law firms, defense contractors, policy think tanks, and higher education institutions. China denied involvement.