{"id":39945,"date":"2021-03-10T19:15:00","date_gmt":"2021-03-10T19:15:00","guid":{"rendered":"https:\/\/www.darkreading.com\/threat-intelligence\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\/d\/d-id\/1340368"},"modified":"2021-03-10T19:15:00","modified_gmt":"2021-03-10T19:15:00","slug":"multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\/","title":{"rendered":"Multiple Attack Groups Exploited Microsoft Exchange Flaws Prior to the Patches"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/img.deusm.com\/darkreading\/dr_staff_125x125.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<header><\/header>\n<p><span class=\"strong black\">Researchers have spotted multiple groups exploiting the zero-day Exchange server vulnerabilities.<\/span><\/p>\n<p class>Multiple attack groups are exploiting the critical Microsoft Exchange Server vulnerabilities patched last week &#8211; and the growing wave of global activity began before Microsoft released emergency fixes on March 2.<\/p>\n<p>Security firms including Red Canary and FireEye are now tracking the exploit activity in clusters and anticipate the number of clusters will grow over time. ESET researchers have detected at least ten APT groups using the critical flaws to target Exchange servers.&nbsp;<\/p>\n<p>When used in an attack chain, the exploits for these vulnerabilities could allow an attacker to authenticate as the Exchange server and deploy a Web shell so they can remotely control the target server. When <a href=\"https:\/\/www.darkreading.com\/threat-intelligence\/microsoft-fixes-exchange-server-zero-days-exploited-in-active-attacks\/d\/d-id\/1340305\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft released patches<\/a> for the four Exchange server zero-days, it attributed the activity with high confidence to a Chinese state-sponsored group called Hafnium.<\/p>\n<p>Now, as researchers observe Web shells stemming from suspected Exchange exploitation, they believe far more groups are responsible for the <a href=\"https:\/\/www.darkreading.com\/attacks-breaches\/microsoft-exchange-server-attack-escalation-prompts-patching-panic\/d\/d-id\/1340349\" target=\"_blank\" rel=\"noopener noreferrer\">growth in attack activity<\/a>. In a blog post released March 9, Red Canary analysts report none of the clusters they observe significantly overlap with the group Microsoft calls Hafnium; as a result, they are now tracking these clusters separately.<\/p>\n<p>&#8220;We don&#8217;t know who is behind these clusters \u2013 we aren&#8217;t sure if it&#8217;s the same adversaries working together or different adversaries completely,&#8221; the researchers write. &#8220;We&#8217;re focusing narrowly on what we observe on victim servers for our clustering.&#8221; They note that they want &#8220;significant overlaps&#8221; in multiple unique data points to classify attacker activity as a cluster.<\/p>\n<p>Between Feb. 27 and March 3, Red Canary saw a cluster in which China Chopper Web shell was dropped onto Exchange servers. Researchers saw further activity between a few hours and days later; while the exact Web shell filename was different, commands were consistent across multiple victims. China Chopper was likely the start of another cluster dubbed Sapphire Pigeon.<\/p>\n<p>In Sapphire Pigeon, detected March 5, attackers dropped multiple Web shells on some victims at different times, days before they conducted further activity. When they did, they showed a range of unique patterns as <a href=\"https:\/\/redcanary.com\/blog\/microsoft-exchange-attacks\/\" target=\"_blank\" rel=\"noopener noreferrer\">outlined in their blog<\/a>.<\/p>\n<p>Palo Alto Networks&#8217; Unit 42 <a href=\"https:\/\/unit42.paloaltonetworks.com\/china-chopper-webshell\/\" target=\"_blank\" rel=\"noopener noreferrer\">also observed<\/a> different patterns in China Chopper Web shells, a backdoor seen dropped in some of these attacks. Researchers report two distinct clusters of events on Feb. 28 and March 1, before Microsoft&#8217;s patch was released. Their data shows rapid deployment of Web shells during day and night, indicating an automated approach to targeting.<\/p>\n<p>It also reflects a range of victims, which supports the idea that attackers are using automated scanning rather than targeting specific organizations or industries. Unit 42 reports the targets include investment banking firms, water conservatories, industrial automation facilities, law firms, and the hospitality sector. FireEye <a href=\"https:\/\/www.fireeye.com\/blog\/threat-research\/2021\/03\/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html\" target=\"_blank\" rel=\"noopener noreferrer\">has identified<\/a> US-based retailers, local governments, a university, and an engineering firm among affected victims.<\/p>\n<p><strong>APT Groups Unleash Exploits on Exchange Servers<\/strong><\/p>\n<p>ESET researchers noticed on Feb. 28 the Exchange flaws weaponized by more than ten different APT actors including Tick, LuckyMouse, and Calypso, suggesting multiple attackers learned the details of these flaws before Microsoft released its patch \u2013 &#8220;which means we can discard the possibility that they built an exploit by reverse engineering Microsoft updates,&#8221; they report.&nbsp;<\/p>\n<p>Microsoft&#8217;s initial report on the Hafnium group says the Exchange exploit activity was &#8220;limited and targeted.&#8221; And while it seems some threat groups began to target the flaws before a patch was released on March 2, the days following saw a flood of additional attackers driving the activity. Tonto Team, Mikroceen, and Winnti Group were among the groups scanning and compromising Exchange servers &#8220;en masse,&#8221; researchers note in a <a href=\"https:\/\/www.welivesecurity.com\/2021\/03\/10\/exchange-servers-under-siege-10-apt-groups\/\" target=\"_blank\" rel=\"noopener noreferrer\">writeup of their findings<\/a>.<\/p>\n<p>Most of these are APT groups interested in espionage, ESET reports, with the exception of one linked to a known cryptomining campaign. One group, dubbed LuckyMouse, compromised the email server of a governmental entity in the Middle East on March 1, before the patch release. At the same time, another group called Calypso used the Exchange exploit to compromise the email servers of governmental entities in the Middle East and South America; it also targeted servers of governmental entities and private companies in Africa, Asia, and Europe.<\/p>\n<p>As of March 10, ESET researchers had seen more than 5,000 unique servers in more than 115 countries where Web shells were flagged. Once the flaw was exploited and Web shell in place, they saw attempts to install additional malware through it. In some cases, several attackers were attempting to target the same organization, they point out.<\/p>\n<p>ESET, like most organizations tracking the threat, is still collecting data.<\/p>\n<p><strong>Threat Data Remains Incomplete<\/strong><\/p>\n<p>Security researchers are still observing the Exchange server attack activity and publishing new information as they learn it. The team with Praetorian successfully reverse-engineered one of the flaws dubbed ProxyLogon (CVE-2021-26855) and developed a functional end-to-end exploit.&nbsp;<\/p>\n<p>In this research, which they <a href=\"https:\/\/www.praetorian.com\/blog\/reproducing-proxylogon-exploit\/\" target=\"_blank\" rel=\"noopener noreferrer\">published<\/a> with removal of critical proof-of-concept components, the team learned that this vulnerability can be &#8220;reliably and consistently exploited&#8221; and used in conjunction with another flaw to &#8220;achieve organization-wide compromise.&#8221;&nbsp;<\/p>\n<p>They say this is due to a common Active Directory misconfiguration regarding Exchange permissions paths, which has been largely ignored by companies because the attack chain depends on a vulnerable Exchange server. &#8220;The new Exchange vulnerability removes that dependency and an attacker can daisy chain these two issues to expand the compromise from a company&#8217;s email to the company itself,&#8221; they write in an email to Dark Reading.<\/p>\n<p><span class=\"italic\">Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance &amp; Technology, where she covered financial &#8230; <a href=\"https:\/\/www.darkreading.com\/author-bio.asp?author_id=837\">View Full Bio<\/a><\/span><\/p>\n<p><strong>Recommended Reading:<\/strong><\/p>\n<p><span class=\"smaller strong red allcaps\">More Insights<\/span><\/p>\n<p>Read More <a href=\"https:\/\/www.darkreading.com\/threat-intelligence\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\/d\/d-id\/1340368?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Researchers have spotted multiple groups exploiting the zero-day Exchange server vulnerabilities. Read More <a href=\"https:\/\/www.darkreading.com\/threat-intelligence\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\/d\/d-id\/1340368?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple\">HERE<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[151],"tags":[],"class_list":["post-39945","post","type-post","status-publish","format-standard","hentry","category-darkreading-ti"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Multiple Attack Groups Exploited Microsoft Exchange Flaws Prior to the Patches 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Multiple Attack Groups Exploited Microsoft Exchange Flaws Prior to the Patches 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-03-10T19:15:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/img.deusm.com\/darkreading\/dr_staff_125x125.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Multiple Attack Groups Exploited Microsoft Exchange Flaws Prior to the Patches\",\"datePublished\":\"2021-03-10T19:15:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\\\/\"},\"wordCount\":966,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/img.deusm.com\\\/darkreading\\\/dr_staff_125x125.jpg\",\"articleSection\":[\"DarkReading |TI\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\\\/\",\"name\":\"Multiple Attack Groups Exploited Microsoft Exchange Flaws Prior to the Patches 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/img.deusm.com\\\/darkreading\\\/dr_staff_125x125.jpg\",\"datePublished\":\"2021-03-10T19:15:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\\\/#primaryimage\",\"url\":\"https:\\\/\\\/img.deusm.com\\\/darkreading\\\/dr_staff_125x125.jpg\",\"contentUrl\":\"https:\\\/\\\/img.deusm.com\\\/darkreading\\\/dr_staff_125x125.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Multiple Attack Groups Exploited Microsoft Exchange Flaws Prior to the Patches\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Multiple Attack Groups Exploited Microsoft Exchange Flaws Prior to the Patches 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\/","og_locale":"en_US","og_type":"article","og_title":"Multiple Attack Groups Exploited Microsoft Exchange Flaws Prior to the Patches 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-03-10T19:15:00+00:00","og_image":[{"url":"https:\/\/img.deusm.com\/darkreading\/dr_staff_125x125.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Multiple Attack Groups Exploited Microsoft Exchange Flaws Prior to the Patches","datePublished":"2021-03-10T19:15:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\/"},"wordCount":966,"commentCount":0,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\/#primaryimage"},"thumbnailUrl":"https:\/\/img.deusm.com\/darkreading\/dr_staff_125x125.jpg","articleSection":["DarkReading |TI"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.threatshub.org\/blog\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\/","url":"https:\/\/www.threatshub.org\/blog\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\/","name":"Multiple Attack Groups Exploited Microsoft Exchange Flaws Prior to the Patches 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\/#primaryimage"},"thumbnailUrl":"https:\/\/img.deusm.com\/darkreading\/dr_staff_125x125.jpg","datePublished":"2021-03-10T19:15:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\/#primaryimage","url":"https:\/\/img.deusm.com\/darkreading\/dr_staff_125x125.jpg","contentUrl":"https:\/\/img.deusm.com\/darkreading\/dr_staff_125x125.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/multiple-attack-groups-exploited-microsoft-exchange-flaws-prior-to-the-patches\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Multiple Attack Groups Exploited Microsoft Exchange Flaws Prior to the Patches"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/39945","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=39945"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/39945\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=39945"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=39945"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=39945"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}