{"id":35717,"date":"2020-06-24T16:00:40","date_gmt":"2020-06-24T16:00:40","guid":{"rendered":"https:\/\/www.microsoft.com\/security\/blog\/?p=91397"},"modified":"2020-06-24T16:00:40","modified_gmt":"2020-06-24T16:00:40","slug":"defending-exchange-servers-under-attack","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/defending-exchange-servers-under-attack\/","title":{"rendered":"Defending Exchange servers under attack"},"content":{"rendered":"<p>Securing Exchange servers is one of the most important things defenders can do to limit organizational exposure to attacks. Any threat or vulnerability impacting Exchange servers should be treated with the highest priority because these servers contain critical business data, as well as highly privileged accounts that attackers attempt to compromise to gain admin rights to the server and, consequently, complete control of the network.<\/p>\n<p>If compromised, Exchange servers provide a unique environment that could allow attackers to perform various tasks using the same built-in tools or scripts that admins use for maintenance. This is exacerbated by the fact that Exchange servers have traditionally lacked antivirus solutions, network protection, the latest security updates, and proper security configuration, often intentionally, due to the misguided notion that these protections interfere with normal Exchange functions. Attackers know this, and they leverage this knowledge to gain a stable foothold on a target organization.<\/p>\n<p>There are two primary ways in which Exchange servers are compromised. The first and more common scenario is attackers launching social engineering or drive-by download attacks targeting endpoints, where they steal credentials and move laterally to other endpoints in a progressive dump-escalate-move method until they gain access to an Exchange server.<\/p>\n<p>The second scenario is where attackers exploit a remote code execution vulnerability affecting the underlying Internet Information Service (IIS) component of a target Exchange server. This is an attacker\u2019s dream: directly landing on a server and, if the server has misconfigured access levels, gain system privileges.<\/p>\n<p>The first scenario is more common, but we\u2019re seeing a rise in attacks of the second variety; specifically, attacks that exploit Exchange vulnerabilities like <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2020-0688\">CVE-2020-0688<\/a>. The <a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2020-0688\">security update<\/a> that fixes this vulnerability has been available for several months, but, notably, to this day, attackers find vulnerable servers to target.<\/p>\n<p>In many cases, after attackers gain access to an Exchange server, what follows is the deployment of web shell into one of the many web accessible paths on the server. As we discussed in a previous blog, <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2020\/02\/04\/ghost-in-the-shell-investigating-web-shell-attacks\/\">web shells<\/a> allow attackers to steal data or perform malicious actions for further compromise.<\/p>\n<h2>Behavior-based detection and blocking of malicious activities on Exchange servers<\/h2>\n<p>Adversaries like using web shells, which are relatively small pieces of malicious code written in common programming languages, because these can be easily modified to evade traditional file-based protections. A more durable approach to detecting web shell activity involves profiling process activities originating from external-facing Exchange applications.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/2020\/03\/09\/behavioral-blocking-and-containment-transforming-optics-into-protection\/\">Behavior-based blocking and containment<\/a> capabilities in Microsoft Defender ATP, which use engines that specialize in <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2019\/10\/08\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks\/\">detecting threats by analyzing behavior<\/a>, surface suspicious and malicious activities on Exchange servers. These detection engines are powered by cloud-based machine learning classifiers that are trained by expert-driven profiling of legitimate vs. suspicious activities in Exchange servers.<\/p>\n<p>In April, multiple Exchange-specific behavior-based detections picked up unusual activity. The telemetry showed attackers operating on on-premises Exchange servers using deployed web shells. Whenever attackers interacted with the web shell, the hijacked application pool ran the command on behalf of the attacker, generating an interesting process chain. Common services, for example Outlook on the web &nbsp;(formerly known as Outlook Web App or OWA) or Exchange admin center (EAC; formerly known as the &nbsp;Exchange Control Panel or ECP), executing <em>net.exe<\/em>, <em>cmd.exe<\/em>, and other known living-off-the-land binaries (<a href=\"https:\/\/github.com\/LOLBAS-Project\/LOLBAS\/blob\/master\/README.md\">LOLBins<\/a>) like <em>mshta.exe<\/em> is very suspicious and should be further investigated.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-91419\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/suspicious-behaviors-detected-on-exchange-servers.png\" alt width=\"1194\" height=\"449\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/suspicious-behaviors-detected-on-exchange-servers.png 1194w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/suspicious-behaviors-detected-on-exchange-servers-300x113.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/suspicious-behaviors-detected-on-exchange-servers-1024x385.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/suspicious-behaviors-detected-on-exchange-servers-768x289.png 768w\" sizes=\"auto, (max-width: 1194px) 100vw, 1194px\"><\/p>\n<p><em>Figure 1. Behavior-based detections of attacker activity on Exchange servers<\/em><\/p>\n<p>In this blog, we\u2019ll share our investigation of the Exchange attacks in early April, covering multiple campaigns occurring at the same time. The data and techniques from this analysis make up an anatomy of Exchange server attacks. Notably, the attacks used multiple fileless techniques, adding another layer of complexity to detecting and resolving these threats, and demonstrating how behavior-based detections are key to protecting organizations.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Exchange-servers-attack-chain-2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-91437 size-full\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Exchange-servers-attack-chain-2.png\" alt width=\"1200\" height=\"500\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Exchange-servers-attack-chain-2.png 1200w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Exchange-servers-attack-chain-2-300x125.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Exchange-servers-attack-chain-2-1024x427.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Exchange-servers-attack-chain-2-768x320.png 768w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\"><\/a><\/p>\n<p><em>Figure 2. Anatomy of an Exchange server attack<\/em><\/p>\n<h2>Initial access: Web shell deployment<\/h2>\n<p>Attackers started interacting with target Exchange servers through web shells they had deployed. Any path accessible over the internet is a potential target for web shell deployment, but in these attacks, the most common client access paths were:<\/p>\n<ul>\n<li><em>%ProgramFiles%\\Microsoft\\Exchange Server\\&lt;version&gt;\\ClientAccess<\/em><\/li>\n<li><em>%ProgramFiles%\\Microsoft\\Exchange Server\\&lt;version&gt;\\FrontEnd<\/em><\/li>\n<\/ul>\n<p>The ClientAccess and FrontEnd directories provide various client access services such as Outlook on the web, EAC, and AutoDiscover, to name a few. These IIS virtual directories are automatically configured during server installation and provide authentication and proxy services for internal and external client connections.<\/p>\n<p>These directories should be monitored for any new file creation. While file creation events alone cannot be treated as suspicious, correlating such events with the responsible process results in more reliable signals. Common services like OWA or ECP dropping <em>.aspx<\/em> or <em>.ashx<\/em> files in any of the said directories is highly suspicious.<\/p>\n<p>In our investigation, most of these attacks used the <a href=\"https:\/\/attack.mitre.org\/software\/S0020\/\">China Chopper<\/a> web shell. The attackers tried to blend the web shell script file with other <em>.aspx<\/em> files present on the system by using common file names. In many cases, hijacked servers used the \u2018echo\u2019 command to write the web shell. In other cases, <em>certutil.exe<\/em> or <em>powershell.exe<\/em> were used. Here are some examples of the China Chopper codes that were dropped in these attacks:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-91398\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/a-Exchange-server-web-shell-1.png\" alt width=\"912\" height=\"301\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/a-Exchange-server-web-shell-1.png 912w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/a-Exchange-server-web-shell-1-300x99.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/a-Exchange-server-web-shell-1-768x253.png 768w\" sizes=\"auto, (max-width: 912px) 100vw, 912px\"><\/p>\n<p>We also observed the attackers switching web shells or introducing two or more for various purposes. In one case, the attackers created an <em>.ashx<\/em> version of a popular, publicly available <em>.aspx<\/em> web shell, which exposes minimum functionality:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-91399\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/b-Exchange-server-web-shell-2.png\" alt width=\"912\" height=\"279\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/b-Exchange-server-web-shell-2.png 912w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/b-Exchange-server-web-shell-2-300x92.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/b-Exchange-server-web-shell-2-768x235.png 768w\" sizes=\"auto, (max-width: 912px) 100vw, 912px\"><\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/A-suspicious-web-script-was-created.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-91425 size-full\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/A-suspicious-web-script-was-created.png\" alt width=\"1845\" height=\"911\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/A-suspicious-web-script-was-created.png 1845w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/A-suspicious-web-script-was-created-300x148.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/A-suspicious-web-script-was-created-1024x506.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/A-suspicious-web-script-was-created-768x379.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/A-suspicious-web-script-was-created-1536x758.png 1536w\" sizes=\"auto, (max-width: 1845px) 100vw, 1845px\"><\/a><\/p>\n<p><em>Figure 3. Microsoft Defender ATP alert for web shell<\/em><\/p>\n<h2>Reconnaissance<\/h2>\n<p>After web shell deployment, attackers typically ran an initial set of exploratory commands like <em>whoami<\/em>, <em>ping<\/em>, and <em>net user<\/em>. In most cases, the hijacked application pool services were running with system privileges, giving attackers the highest privilege.<\/p>\n<p>Attackers enumerated all local groups and members on the domain to identify targets. Interestingly, in some campaigns, attackers used open-source user group enumerating tools like <em>lg.exe<\/em> instead of the built-in <em>net.exe<\/em>. Attackers also used the <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2017\/06\/16\/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security\/\">EternalBlue<\/a> exploit and <em>nbtstat<\/em> scanner to identify vulnerable machines on the network.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-91400\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/c-Exchange-server-reconnaissance-1.png\" alt width=\"912\" height=\"117\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/c-Exchange-server-reconnaissance-1.png 912w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/c-Exchange-server-reconnaissance-1-300x38.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/c-Exchange-server-reconnaissance-1-768x99.png 768w\" sizes=\"auto, (max-width: 912px) 100vw, 912px\"><\/p>\n<p>Next, the attackers ran built-in Exchange Management Shell cmdlets to gain more information about the exchange environment. Attackers used these cmdlets to perform the following:<\/p>\n<ul>\n<li>List all Exchange admin center virtual directories in client access services on all Mailbox servers in the network<\/li>\n<li>Get a summary list of all the Exchange servers in the network<\/li>\n<li>Get information on mailboxes, such as size and number of items, along with role assignments and permissions.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-91401\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/d-Exchange-server-reconnaissance-2.png\" alt width=\"912\" height=\"117\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/d-Exchange-server-reconnaissance-2.png 912w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/d-Exchange-server-reconnaissance-2-300x38.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/d-Exchange-server-reconnaissance-2-768x99.png 768w\" sizes=\"auto, (max-width: 912px) 100vw, 912px\"><\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Anomalous-account-lookups.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-91426 size-full\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Anomalous-account-lookups.png\" alt width=\"1845\" height=\"911\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Anomalous-account-lookups.png 1845w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Anomalous-account-lookups-300x148.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Anomalous-account-lookups-1024x506.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Anomalous-account-lookups-768x379.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Anomalous-account-lookups-1536x758.png 1536w\" sizes=\"auto, (max-width: 1845px) 100vw, 1845px\"><\/a><\/p>\n<p><em>Figure 4. Microsoft Defender ATP alert showing process tree for anomalous account lookups<\/em><\/p>\n<h2>Persistence<\/h2>\n<p>On misconfigured servers where they have gained the highest privileges, attackers were able to add a new user account on the server. This gave the attackers the ability to access the server without the need to deploy any remote access tools.<\/p>\n<p>The attackers then added the newly created account to high-privilege groups like Administrators, Remote Desktop Users, and Enterprise Admins, practically making the attackers a domain admin with unrestricted access to any users or group in the organization.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-91402\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/e-Exchange-server-persistence.png\" alt width=\"912\" height=\"83\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/e-Exchange-server-persistence.png 912w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/e-Exchange-server-persistence-300x27.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/e-Exchange-server-persistence-768x70.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/e-Exchange-server-persistence-900x83.png 900w\" sizes=\"auto, (max-width: 912px) 100vw, 912px\"><\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/New-local-admin-added-using-Net-commands.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-91427 size-full\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/New-local-admin-added-using-Net-commands.png\" alt width=\"1845\" height=\"944\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/New-local-admin-added-using-Net-commands.png 1845w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/New-local-admin-added-using-Net-commands-300x153.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/New-local-admin-added-using-Net-commands-1024x524.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/New-local-admin-added-using-Net-commands-768x393.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/New-local-admin-added-using-Net-commands-1536x786.png 1536w\" sizes=\"auto, (max-width: 1845px) 100vw, 1845px\"><\/a><\/p>\n<p><em>Figure 5. Microsoft Defender ATP alert showing process tree for addition of local admin using Net commands<\/em><\/p>\n<h2>Credential access<\/h2>\n<p>Exchange servers contain the most sensitive users and groups in an organization. Gaining credentials to these accounts could virtually give attackers domain admin privileges.<\/p>\n<p>In our investigation, the attackers first dumped user hashes by saving the Security Account Manager (SAM) database from the registry.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-91405\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/f-Exchange-server-credential-access-1.png\" alt width=\"912\" height=\"45\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/f-Exchange-server-credential-access-1.png 912w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/f-Exchange-server-credential-access-1-300x15.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/f-Exchange-server-credential-access-1-768x38.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/f-Exchange-server-credential-access-1-900x45.png 900w\" sizes=\"auto, (max-width: 912px) 100vw, 912px\"><\/p>\n<p>Next, the attackers used the ProcDump tool to dump the Local Security Authority Subsystem Service (LSASS) memory. The dumps were later archived and uploaded to a remote location.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-91406\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/g-Exchange-server-credential-access-2.png\" alt width=\"912\" height=\"45\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/g-Exchange-server-credential-access-2.png 912w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/g-Exchange-server-credential-access-2-300x15.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/g-Exchange-server-credential-access-2-768x38.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/g-Exchange-server-credential-access-2-900x45.png 900w\" sizes=\"auto, (max-width: 912px) 100vw, 912px\"><\/p>\n<p>In some campaigns, attackers dropped Mimikatz and tried to dump hashes from the server.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-91407\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/h-Exchange-server-credential-access-3.png\" alt width=\"912\" height=\"101\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/h-Exchange-server-credential-access-3.png 912w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/h-Exchange-server-credential-access-3-300x33.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/h-Exchange-server-credential-access-3-768x85.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/h-Exchange-server-credential-access-3-900x101.png 900w\" sizes=\"auto, (max-width: 912px) 100vw, 912px\"><\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Malicious-credential-theft-tool-execution-detected.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-91428 size-full\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Malicious-credential-theft-tool-execution-detected.png\" alt width=\"1845\" height=\"911\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Malicious-credential-theft-tool-execution-detected.png 1845w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Malicious-credential-theft-tool-execution-detected-300x148.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Malicious-credential-theft-tool-execution-detected-1024x506.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Malicious-credential-theft-tool-execution-detected-768x379.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Malicious-credential-theft-tool-execution-detected-1536x758.png 1536w\" sizes=\"auto, (max-width: 1845px) 100vw, 1845px\"><\/a><\/p>\n<p><em>Figure 6. Microsoft Defender ATP alert on detection of Mimikatz<\/em><\/p>\n<p>In environments where Mimiktaz was blocked, attackers dropped a modified version with hardcoded implementation to avoid detection. Attackers also added a wrapper written in the Go programming language to make the binary more than 5 MB. The binary used the open-source MemoryModule library to load the binary using <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2017\/11\/13\/detecting-reflective-dll-loading-with-windows-defender-atp\/\">reflective DLL injection<\/a>. Thus, the payload never touched the disk and was present only in memory, achieving a fileless persistence.<\/p>\n<p>The attackers also enabled \u2018<em>wdigest<\/em>\u2019 registry settings, which forced the system to use WDigest protocol for authentication, resulting in <em>lsass.exe<\/em> retaining a copy of the user\u2019s plaintext password in memory. This change allowed the attacker to steal the actual password, not just the hash.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-91408\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/i-Exchange-server-credential-access-4.png\" alt width=\"912\" height=\"65\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/i-Exchange-server-credential-access-4.png 912w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/i-Exchange-server-credential-access-4-300x21.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/i-Exchange-server-credential-access-4-768x55.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/i-Exchange-server-credential-access-4-900x65.png 900w\" sizes=\"auto, (max-width: 912px) 100vw, 912px\"><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-91409\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/j-Exchange-server-credential-access-5.png\" alt width=\"912\" height=\"479\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/j-Exchange-server-credential-access-5.png 912w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/j-Exchange-server-credential-access-5-300x158.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/j-Exchange-server-credential-access-5-768x403.png 768w\" sizes=\"auto, (max-width: 912px) 100vw, 912px\"><\/p>\n<p>Another example of stealthy execution that attackers implemented was creating a wrapper binary for ProcDump and Mimikatz. When run, the tool dropped and executed the ProcDump binary to dump the LSASS memory. The memory dump was loaded inside the same binary and parsed to extract passwords, another example of <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2017\/11\/13\/detecting-reflective-dll-loading-with-windows-defender-atp\/\">reflective DLL injection<\/a> where the Mimikatz binary was present only in memory.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-91410\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/k-Exchange-server-credential-access-6.png\" alt width=\"912\" height=\"139\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/k-Exchange-server-credential-access-6.png 912w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/k-Exchange-server-credential-access-6-300x46.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/k-Exchange-server-credential-access-6-768x117.png 768w\" sizes=\"auto, (max-width: 912px) 100vw, 912px\"><\/p>\n<p>With attacker-controlled accounts now part of Domain Admins group, the attackers performed a technique called <a href=\"https:\/\/attack.mitre.org\/techniques\/T1003\/\">DCSYNC<\/a> attack, which abuses the Active Directory replication capability to request account information, such as the NTLM hashes of all the users\u2019 passwords in the organization. This technique is extremely stealthy because it can be performed without running a single command on the actual domain controller.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-91411\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/l-Exchange-server-credential-access-7.png\" alt width=\"912\" height=\"45\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/l-Exchange-server-credential-access-7.png 912w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/l-Exchange-server-credential-access-7-300x15.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/l-Exchange-server-credential-access-7-768x38.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/l-Exchange-server-credential-access-7-900x45.png 900w\" sizes=\"auto, (max-width: 912px) 100vw, 912px\"><\/p>\n<h2>Lateral movement<\/h2>\n<p>In these attacks, the attackers used several known methods to move laterally:<\/p>\n<ul>\n<li>The attackers heavily abused WMI for executing tools on remote systems.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-91412\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/m-Exchange-server-lateral-movement-1.png\" alt width=\"912\" height=\"45\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/m-Exchange-server-lateral-movement-1.png 912w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/m-Exchange-server-lateral-movement-1-300x15.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/m-Exchange-server-lateral-movement-1-768x38.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/m-Exchange-server-lateral-movement-1-900x45.png 900w\" sizes=\"auto, (max-width: 912px) 100vw, 912px\"><\/p>\n<ul>\n<li>The attackers also used other techniques such as creating service or schedule task on remote systems.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-91413\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/n-Exchange-server-lateral-movement-2.png\" alt width=\"912\" height=\"45\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/n-Exchange-server-lateral-movement-2.png 912w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/n-Exchange-server-lateral-movement-2-300x15.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/n-Exchange-server-lateral-movement-2-768x38.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/n-Exchange-server-lateral-movement-2-900x45.png 900w\" sizes=\"auto, (max-width: 912px) 100vw, 912px\"><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-91414\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/o-Exchange-server-lateral-movement-3.png\" alt width=\"912\" height=\"45\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/o-Exchange-server-lateral-movement-3.png 912w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/o-Exchange-server-lateral-movement-3-300x15.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/o-Exchange-server-lateral-movement-3-768x38.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/o-Exchange-server-lateral-movement-3-900x45.png 900w\" sizes=\"auto, (max-width: 912px) 100vw, 912px\"><\/p>\n<ul>\n<li>In some cases, the attackers simply run commands on remote systems using PsExec.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-91415\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/p-Exchange-server-lateral-movement-4.png\" alt width=\"912\" height=\"45\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/p-Exchange-server-lateral-movement-4.png 912w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/p-Exchange-server-lateral-movement-4-300x15.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/p-Exchange-server-lateral-movement-4-768x38.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/p-Exchange-server-lateral-movement-4-900x45.png 900w\" sizes=\"auto, (max-width: 912px) 100vw, 912px\"><\/p>\n<h2>Exchange Management Shell abuse<\/h2>\n<p>The Exchange Management Shell is the PowerShell interface for administrators to manage the Exchange server. As such, it exposes many critical Exchange PowerShell cmdlets to allow admins to perform various maintenance tasks, such as assigning roles and permissions, and migration, including importing and exporting mailboxes. These cmdlets are available only on Exchange servers in the Exchange Management Shell or through remote PowerShell connections to the Exchange server.<\/p>\n<p>To understand suspicious invocation of the Exchange Management Shell, we need to go one step back in the process chain and analyze the responsible process. As mentioned, common application pools <em>MSExchangeOWAAppPool<\/em> or <em>MSExchangeECPAppPool<\/em> accessing the shell should be considered suspicious.<\/p>\n<p>In our investigation, attackers leveraged these admin cmdlets to perform critical tasks such as exporting mailboxes or running arbitrary scripts. Attackers used different ways to load and run PowerShell cmdlets through the Exchange Management Shell.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-91416\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/q-Exchange-server-abuse-ems-1.png\" alt width=\"912\" height=\"66\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/q-Exchange-server-abuse-ems-1.png 912w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/q-Exchange-server-abuse-ems-1-300x22.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/q-Exchange-server-abuse-ems-1-768x56.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/q-Exchange-server-abuse-ems-1-900x66.png 900w\" sizes=\"auto, (max-width: 912px) 100vw, 912px\"><\/p>\n<p>In certain cases, attackers created a PowerShell wrapper around the commands to effectively hide behind legitimate PowerShell activity.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-91417\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/r-Exchange-server-abuse-ems-2.png\" alt width=\"912\" height=\"101\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/r-Exchange-server-abuse-ems-2.png 912w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/r-Exchange-server-abuse-ems-2-300x33.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/r-Exchange-server-abuse-ems-2-768x85.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/r-Exchange-server-abuse-ems-2-900x101.png 900w\" sizes=\"auto, (max-width: 912px) 100vw, 912px\"><\/p>\n<p>These cmdlets allowed the attackers to perform the following:<\/p>\n<ul>\n<li>Search received email<\/li>\n<\/ul>\n<p>In our investigations, attackers were primarily interested in received emails. They searched for message delivery information filtered by the event \u2018Received\u2019. The search time frame showed the attackers were initially interested in the entire log history. Later, a similar command was run with a trimmed timeline of one year.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-91418\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/s-Exchange-server-abuse-ems-3.png\" alt width=\"912\" height=\"153\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/s-Exchange-server-abuse-ems-3.png 912w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/s-Exchange-server-abuse-ems-3-300x50.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/s-Exchange-server-abuse-ems-3-768x129.png 768w\" sizes=\"auto, (max-width: 912px) 100vw, 912px\"><\/p>\n<ul>\n<li>Export mailbox<\/li>\n<\/ul>\n<p>Attackers exported mailboxes through these four steps:<\/p>\n<ol>\n<li>\n<ol>\n<li>Granted <em>ApplicationImpersnation<\/em> role to the attacker-controlled account. This effectively allowed the supplied account to access all mailboxes in the organization.<\/li>\n<li>Granted \u2018Mailbox Import Export\u2019 role to the attacker-controlled account. This role is required to be added before attempting mailbox export.<\/li>\n<li>Exported the mailbox with filter \u201c<em>Received -gt \u201801\/01\/2020 0:00:00<\/em>\u2019\u201d.<\/li>\n<li>Removed the mailbox export request to avoid raising suspicion.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-91420\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/t-Exchange-server-abuse-ems-4.png\" alt width=\"912\" height=\"99\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/t-Exchange-server-abuse-ems-4.png 912w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/t-Exchange-server-abuse-ems-4-300x33.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/t-Exchange-server-abuse-ems-4-768x83.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/t-Exchange-server-abuse-ems-4-900x99.png 900w\" sizes=\"auto, (max-width: 912px) 100vw, 912px\"><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-91421\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/u-Exchange-server-abuse-ems-5.png\" alt width=\"912\" height=\"117\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/u-Exchange-server-abuse-ems-5.png 912w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/u-Exchange-server-abuse-ems-5-300x38.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/u-Exchange-server-abuse-ems-5-768x99.png 768w\" sizes=\"auto, (max-width: 912px) 100vw, 912px\"><\/p>\n<h2>Tampering with security tools<\/h2>\n<p>As part of lateral movement, the attackers attempted to disable Microsoft Defender Antivirus. Attackers also disabled archive scanning to bypass detection of tools and data compressed in .zip files, as well as created exclusion for <em>.dat<\/em> extension. The attackers tried to disable automatic updates to avoid any detection by new intelligence updates. For Microsoft Defender ATP customers, <a href=\"https:\/\/docs.microsoft.com\/windows\/security\/threat-protection\/windows-defender-antivirus\/prevent-changes-to-security-settings-with-tamper-protection\">tamper protection<\/a> prevents such malicious and unauthorized changes to security settings.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-91422\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/v-Exchange-server-security-tampering.png\" alt width=\"912\" height=\"119\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/v-Exchange-server-security-tampering.png 912w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/v-Exchange-server-security-tampering-300x39.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/v-Exchange-server-security-tampering-768x100.png 768w\" sizes=\"auto, (max-width: 912px) 100vw, 912px\"><\/p>\n<h2>Remote access<\/h2>\n<p>The next step for attackers was to create a network architecture using port forwarding tools like <em>plink.exe<\/em>, a command line connection tool like <em>ssh<\/em>. Using these tools allowed attackers to bypass network restrictions and remotely access machines through Remote Desktop Protocol (RDP). This is a very stealthy technique: attackers reused dumped credentials to access the machines through encrypted tunneling software, eliminating the need to deploy backdoors, which may have a high chance of getting detected.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-91423\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/w-Exchange-server-remote-access.png\" alt width=\"912\" height=\"115\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/w-Exchange-server-remote-access.png 912w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/w-Exchange-server-remote-access-300x38.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/w-Exchange-server-remote-access-768x97.png 768w\" sizes=\"auto, (max-width: 912px) 100vw, 912px\"><\/p>\n<h2>Exfiltration<\/h2>\n<p>Finally, dumped data was compressed using the utility tool <em>rar.exe.<\/em> The compressed data mostly comprised of the extracted <em>.pst<\/em> files, along with memory dumps.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-91424\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/x-Exchange-server-exfiltration.png\" alt width=\"912\" height=\"81\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/x-Exchange-server-exfiltration.png 912w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/x-Exchange-server-exfiltration-300x27.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/x-Exchange-server-exfiltration-768x68.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/x-Exchange-server-exfiltration-900x81.png 900w\" sizes=\"auto, (max-width: 912px) 100vw, 912px\"><\/p>\n<p>As these attacks show, Exchange servers are high-value targets. These attacks also tend to be advanced threats with highly evasive, fileless techniques. For example, at every stage in the attack chain above, the attackers abused existing tools (LOLBins) and scripts to accomplish various tasks. Even in cases where non-system binaries were introduced, they were either legitimate and signed, like <em>plink.exe<\/em>, or just a proxy for the malicious binary, for example, the modified Mimikatz where the actual malicious payload never touched the disk.<\/p>\n<p>Keeping these servers safe from these advanced attacks is of utmost importance. Here are steps that organizations can take to ensure they don\u2019t fall victim to Exchange server compromise.<\/p>\n<ol>\n<li>Apply the latest security updates<\/li>\n<\/ol>\n<p>Identify and remediate vulnerabilities or misconfigurations in Exchange servers. Deploy the latest security updates, especially for server components like Exchange, as soon as they become available. Specifically, check that the patches for CVE-2020-0688 is in place. Use <a href=\"https:\/\/docs.microsoft.com\/windows\/security\/threat-protection\/microsoft-defender-atp\/next-gen-threat-and-vuln-mgt\">threat and vulnerability management<\/a> to audit these servers regularly for vulnerabilities, misconfigurations, and suspicious activity.<\/p>\n<ol start=\"2\">\n<li>Keep antivirus and other protections enabled<\/li>\n<\/ol>\n<p>It\u2019s critical to protect Exchange servers with <a href=\"https:\/\/docs.microsoft.com\/exchange\/antispam-and-antimalware\/windows-antivirus-software?view=exchserver-2019\">antivirus software<\/a> and other security solutions like firewall protection and MFA. <a href=\"https:\/\/docs.microsoft.com\/windows\/security\/threat-protection\/windows-defender-antivirus\/enable-cloud-protection-windows-defender-antivirus\">Turn on cloud-delivered protection<\/a> and automatic sample submission to use artificial intelligence and machine learning to quickly identify and stop new and unknown threats. Use <a href=\"https:\/\/docs.microsoft.com\/windows\/security\/threat-protection\/windows-defender-exploit-guard\/attack-surface-reduction-exploit-guard\">attack surface reduction rules<\/a> to automatically block behaviors like credential theft and suspicious use of PsExec and WMI. Turn on <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/Microsoft-Defender-ATP\/Tamper-protection-now-generally-available-for-Microsoft-Defender\/ba-p\/911482\">tamper protection<\/a> features to prevent attackers from stopping security services.<\/p>\n<p>If you are worried that these security controls will affect performance or disrupt operations, engage with IT pros to help determine the true impact of these settings. Security teams and IT pros should collaborate on applying mitigations and appropriate <a href=\"https:\/\/docs.microsoft.com\/exchange\/antispam-and-antimalware\/windows-antivirus-software\">settings<\/a>.<\/p>\n<ol start=\"3\">\n<li>Review sensitive roles and groups<\/li>\n<\/ol>\n<p>Review highly privileged groups like Administrators, Remote Desktop Users, and Enterprise Admins. Attackers add accounts to these groups to gain foothold on a server. Regularly review these groups for suspicious additions or removal. To identify Exchange-specific anomalies, review the list of users in sensitive roles such as <em>mailbox import export<\/em> and <em>Organization Management<\/em> using the <em>Get-ManagementRoleAssignment<\/em> cmdlet in Exchange PowerShell.<\/p>\n<ol start=\"4\">\n<li>Restrict access<\/li>\n<\/ol>\n<p>Practice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Enforce <a href=\"https:\/\/docs.microsoft.com\/windows-server\/identity\/securing-privileged-access\/securing-privileged-access#2-just-in-time-local-admin-passwords\">strong randomized, just-in-time local administrator passwords<\/a> and Enable MFA. Use tools like <a href=\"https:\/\/technet.microsoft.com\/en-us\/mt227395.aspx\">LAPS<\/a>.<\/p>\n<p>Place access control list (ACL) restrictions on ECP and other virtual directories in IIS. Don\u2019t expose the ECP directory to the web if it isn\u2019t necessary and to anyone in the company who doesn\u2019t need to access it. Apply similar restrictions to other application pools.<\/p>\n<ol start=\"5\">\n<li>Prioritize alerts<\/li>\n<\/ol>\n<p>Pay attention to and immediately investigate alerts indicating suspicious activities on Exchange servers. Catching attacks in the exploratory phase, the period in which attackers spend several days exploring the environment after gaining access, is key. Common application pools like \u2018<em>MSExchangeOWAAppPool\u2019<\/em> or <em>\u2018MSExchangeECPAppPool\u2019<\/em> are commonly hijacked by attackers through web shell deployment. Prioritize alerts related to processes such as <em>net.exe<\/em>, <em>cmd.exe<\/em>, and <em>mshta.exe<\/em> originating from these pools or <em>w3wp.exe<\/em> in general.<\/p>\n<p>Behavior-based blocking and containment capabilities in <a href=\"https:\/\/www.microsoft.com\/WindowsForBusiness\/windows-atp\">Microsoft Defender Advanced Threat Protection<\/a> stop many of the malicious activities we described in this blog. Behavior-based blocking and containment stops advanced attacks in their tracks by detecting and halting malicious processes and behaviors.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-91436\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/IISExchgSpawnCMD-1-1.png\" alt width=\"400\" height=\"412\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/IISExchgSpawnCMD-1-1.png 645w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/IISExchgSpawnCMD-1-1-291x300.png 291w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\">&nbsp; <img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-91432\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/IISExchgSpawnEMS-1.png\" alt width=\"400\" height=\"412\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/IISExchgSpawnEMS-1.png 645w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/IISExchgSpawnEMS-1-291x300.png 291w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\"><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-91434\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/WebShellTerminal-1.png\" alt width=\"400\" height=\"412\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/WebShellTerminal-1.png 645w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/WebShellTerminal-1-291x300.png 291w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\">&nbsp; <img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-91433\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/IISExchgSpawnNET-1.png\" alt width=\"400\" height=\"412\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/IISExchgSpawnNET-1.png 645w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/IISExchgSpawnNET-1-291x300.png 291w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\"><\/p>\n<p><em>Figure 7. Microsoft Defender ATP alerts on blocked behaviors<\/em><\/p>\n<p>In addition, Microsoft Defender ATP\u2019s endpoint detection and response (EDR) sensors provide visibility into other suspicious and malicious activities on Exchange servers, which are raised as alerts. The new alert page presents data in an investigation-driven approach meant to empower SecOps teams to easily investigate and take actions.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Possible-IIS-web-shell.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-91429 size-full\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Possible-IIS-web-shell.png\" alt width=\"1845\" height=\"960\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Possible-IIS-web-shell.png 1845w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Possible-IIS-web-shell-300x156.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Possible-IIS-web-shell-1024x533.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Possible-IIS-web-shell-768x400.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Possible-IIS-web-shell-1536x799.png 1536w\" sizes=\"auto, (max-width: 1845px) 100vw, 1845px\"><\/a><\/p>\n<p><em>Figure 8. Microsoft Defender ATP alert and process tree<\/em><\/p>\n<p>If these alerts are immediately prioritized, security operations teams can better mitigate attacks and prevent further damage. Beyond resolving these alerts in the shortest possible time, however, organizations should focus on investigating the end-to-end attack chain and trace the vulnerability, misconfiguration, or other weakness in the infrastructure that allowed the attack to occur.<\/p>\n<p>Microsoft Defender ATP is a component of the broader <a href=\"https:\/\/www.microsoft.com\/security\/technology\/threat-protection\">Microsoft Threat Protection<\/a> (MTP), which provides comprehensive visibility into advanced attacks by combining the capabilities of Office 365 ATP, Azure ATP, Microsoft Cloud App Security, and Microsoft Defender ATP. Through the <a href=\"https:\/\/docs.microsoft.com\/microsoft-365\/security\/mtp\/incidents-overview?view=o365-worldwide\">incidents<\/a> view, MTP provides a consolidated picture of related attack evidence that shows the complete attack story, empowering SecOps teams to thoroughly investigate attacks.<\/p>\n<p>In addition, MTP\u2019s visibility into malicious artifacts and behavior empowers security operations teams to proactively hunt for threats on Exchange servers. For example, MTP can be connected to Azure Sentinel to enable <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/azure-sentinel\/web-shell-threat-hunting-with-azure-sentinel-and-microsoft\/ba-p\/1448065\">web shell threat hunting<\/a>.<\/p>\n<p>Through built-in intelligence and automation, Microsoft Threat Protection coordinates protection, detection, and response across endpoints, identity, data, and apps. <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/technology\/threat-protection\">Learn more<\/a>.<\/p>\n<p><strong><em>Hardik Suri<\/em><\/strong><\/p>\n<p><em>Microsoft Defender ATP Research Team<\/em><\/p>\n<h3>MITRE ATT&amp;CK techniques<\/h3>\n<p>Initial access<\/p>\n<p>Execution<\/p>\n<p>Persistence<\/p>\n<p>Privilege escalation<\/p>\n<p>Defense evasion<\/p>\n<p>Credential access<\/p>\n<p>Discovery<\/p>\n<p>Lateral movement<\/p>\n<p>Collection<\/p>\n<p>Command and control<\/p>\n<p>Exfiltration<\/p>\n<p> READ MORE <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2020\/06\/24\/defending-exchange-servers-under-attack\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Exchange servers are high-value targets. These attacks also tend to be advanced threats with highly evasive, fileless techniques. Keeping these servers safe from these advanced attacks is of utmost importance.<br \/>\nThe post Defending Exchange servers under attack appeared first on Microsoft Security. READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":35718,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[8026,347,3873,5351,6999,7221,6578,7606],"class_list":["post-35717","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-secure","tag-behavioral-blocking-and-containment","tag-cybersecurity","tag-exchange-server","tag-fileless","tag-living-off-the-land","tag-microsoft-security-intelligence","tag-threat-protection","tag-web-shell"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Defending Exchange servers under attack 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/defending-exchange-servers-under-attack\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Defending Exchange servers under attack 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/defending-exchange-servers-under-attack\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2020-06-24T16:00:40+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/defending-exchange-servers-under-attack.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1194\" \/>\n\t<meta property=\"og:image:height\" content=\"449\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/defending-exchange-servers-under-attack\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/defending-exchange-servers-under-attack\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Defending Exchange servers under attack\",\"datePublished\":\"2020-06-24T16:00:40+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/defending-exchange-servers-under-attack\\\/\"},\"wordCount\":2868,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/defending-exchange-servers-under-attack\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/06\\\/defending-exchange-servers-under-attack.png\",\"keywords\":[\"behavioral blocking and containment\",\"Cybersecurity\",\"Exchange Server\",\"fileless\",\"living-off-the-land\",\"Microsoft security intelligence\",\"Threat protection\",\"web shell\"],\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/defending-exchange-servers-under-attack\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/defending-exchange-servers-under-attack\\\/\",\"name\":\"Defending Exchange servers under attack 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/defending-exchange-servers-under-attack\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/defending-exchange-servers-under-attack\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/06\\\/defending-exchange-servers-under-attack.png\",\"datePublished\":\"2020-06-24T16:00:40+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/defending-exchange-servers-under-attack\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/defending-exchange-servers-under-attack\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/defending-exchange-servers-under-attack\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/06\\\/defending-exchange-servers-under-attack.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/06\\\/defending-exchange-servers-under-attack.png\",\"width\":1194,\"height\":449},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/defending-exchange-servers-under-attack\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"behavioral blocking and containment\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/behavioral-blocking-and-containment\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Defending Exchange servers under attack\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Defending Exchange servers under attack 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/defending-exchange-servers-under-attack\/","og_locale":"en_US","og_type":"article","og_title":"Defending Exchange servers under attack 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/defending-exchange-servers-under-attack\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2020-06-24T16:00:40+00:00","og_image":[{"width":1194,"height":449,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/defending-exchange-servers-under-attack.png","type":"image\/png"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/defending-exchange-servers-under-attack\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/defending-exchange-servers-under-attack\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Defending Exchange servers under attack","datePublished":"2020-06-24T16:00:40+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/defending-exchange-servers-under-attack\/"},"wordCount":2868,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/defending-exchange-servers-under-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/defending-exchange-servers-under-attack.png","keywords":["behavioral blocking and containment","Cybersecurity","Exchange Server","fileless","living-off-the-land","Microsoft security intelligence","Threat protection","web shell"],"articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/defending-exchange-servers-under-attack\/","url":"https:\/\/www.threatshub.org\/blog\/defending-exchange-servers-under-attack\/","name":"Defending Exchange servers under attack 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/defending-exchange-servers-under-attack\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/defending-exchange-servers-under-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/defending-exchange-servers-under-attack.png","datePublished":"2020-06-24T16:00:40+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/defending-exchange-servers-under-attack\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/defending-exchange-servers-under-attack\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/defending-exchange-servers-under-attack\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/defending-exchange-servers-under-attack.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/defending-exchange-servers-under-attack.png","width":1194,"height":449},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/defending-exchange-servers-under-attack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"behavioral blocking and containment","item":"https:\/\/www.threatshub.org\/blog\/tag\/behavioral-blocking-and-containment\/"},{"@type":"ListItem","position":3,"name":"Defending Exchange servers under attack"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/35717","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=35717"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/35717\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/35718"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=35717"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=35717"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=35717"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}