{"id":39958,"date":"2021-03-11T15:05:55","date_gmt":"2021-03-11T15:05:55","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/32097\/Vexing-Mystery-Surrounds-0-Day-Attacks-On-Exchange-Servers.html"},"modified":"2021-03-11T15:05:55","modified_gmt":"2021-03-11T15:05:55","slug":"vexing-mystery-surrounds-0-day-attacks-on-exchange-servers","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers\/","title":{"rendered":"Vexing Mystery Surrounds 0-Day Attacks On Exchange Servers"},"content":{"rendered":"<figure class=\"intro-image intro-left\"><img decoding=\"async\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2021\/02\/zeroday-800x534.jpg\" alt=\"The phrase Zero Day can be spotted on a monochrome computer screen clogged with ones and zeros.\"><figcaption class=\"caption\"><\/figcaption><\/figure>\n<aside id=\"social-left\" class=\"social-left\" aria-label=\"Read the comments or share this article\"><a title=\"49 posters participating\" class=\"comment-count icon-comment-bubble-down\" href=\"https:\/\/arstechnica.com\/gadgets\/2021\/03\/security-unicorn-exchange-server-0-days-were-exploited-by-6-apts\/?comments=1\"> <\/p>\n<h4 class=\"comment-count-before\">reader comments<\/h4>\n<p> <span class=\"comment-count-number\">59<\/span> <span class=\"visually-hidden\"> with 49 posters participating<\/span> <\/a> <\/p>\n<div class=\"share-links\">\n<h4>Share this story<\/h4>\n<\/p><\/div>\n<\/aside>\n<p><!-- cache hit 355:single\/related:3ec0ccca8967b138f57a7d7211d49d05 --><!-- empty --><\/p>\n<p>The Microsoft Exchange vulnerabilities that allow hackers to take over Microsoft Exchange servers are under attack by no fewer than 10 advanced hacking groups, six of which began exploiting them before Microsoft released a patch, researchers reported Wednesday. That raises a vexing question: how did so many separate threat actors have working exploits before the security flaws became publicly known?<\/p>\n<p>Researchers say that as many as 100,000 mail servers around the world have been compromised, with those for the <a href=\"https:\/\/www.eba.europa.eu\/cyber-attack-european-banking-authority-update-3\">European Banking Authority<\/a> and <a href=\"https:\/\/www.reuters.com\/article\/norway-cyber\/update-3-norways-parliament-hit-by-new-hack-attack-idUSL8N2L855J\">Norwegian Parliament<\/a> being disclosed in the past few days. Once attackers gain the ability to execute code on the servers, they install web shells, which are browser-based windows that provide a means for remotely issuing commands and executing code.<\/p>\n<p>When Microsoft issued emergency patches on March 2, the company said the vulnerabilities were being exploited in limited and targeted attacks by a state-backed hacking group in China known as Hafnium. On Wednesday, ESET provided a starkly different assessment. Of the 10 groups ESET products have recorded exploiting vulnerable servers, six of those APTs\u2014short for advanced persistent threat actors\u2014began hijacking servers while the critical vulnerabilities were still unknown to Microsoft.<\/p>\n<p>It\u2019s not often that a so-called zero-day vulnerability is exploited by two groups in unison, but it happens. A zero-day under attack by six APTs simultaneously, on the other hand, is highly unusual, if not unprecedented.<\/p>\n<p>\u201cOur ongoing research shows that not only Hafnium has been using the recent RCE vulnerability in Exchange, but that multiple APTs have access to the exploit, and some even did so prior to the patch release,\u201d ESET researchers Matthieu Faou, Mathieu Tartare, and Thomas Dupuy wrote in a <a href=\"https:\/\/www.welivesecurity.com\/2021\/03\/10\/exchange-servers-under-siege-10-apt-groups\/\">Wednesday post<\/a>. \u201cIt is still unclear how the distribution of the exploit happened, but it is inevitable that more and more threat actors, including ransomware operators, will have access to it sooner or later.\u201d<\/p>\n<figure class=\"image shortcode-img center large\"><a href=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2021\/03\/eset-timeline.png\" class=\"enlarge\" data-height=\"641\" data-width=\"1200\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2021\/03\/eset-timeline-640x342.png\" width=\"640\" height=\"342\" srcset=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2021\/03\/eset-timeline.png 2x\"><\/a><figcaption class=\"caption\"><\/figcaption><\/figure>\n<h2>Beyond unlikely<\/h2>\n<p>The mystery is compounded by this: within a day of Microsoft issuing the patches, at least three more APTs joined the fray. A day later, another one was added to the mix. While it\u2019s possible that those four groups reverse-engineered the fixes, developed weaponized exploits, and deployed them at scale, those types of activities usually take time. A 24-hour window is on the short side.<\/p>\n<aside class=\"ad_wrapper\" aria-label=\"In Content advertisement\"> <span class=\"ad_notice\">Advertisement <\/span> <\/aside>\n<p>There\u2019s no clear explanation for the mass exploitation by so many different groups, leaving researchers few alternatives other than to speculate.<\/p>\n<p>\u201cIt would seem that while the exploits were originally used by Hafnium, something made them share the exploit with other groups around the time the associated vulnerabilities were getting patched by Microsoft,\u201d Costin Raiu, director of the Global Research and Analysis Team at Kaspersky Lab, told me. \u201cThis could suggest a certain degree of cooperation between these groups, or it may also suggest the exploits were available for sale in certain markets and the potential of them getting patched resulted in a drop of price, allowing others to acquire it as well.\u201d<\/p>\n<p>Juan Andres Guerrero-Saade, principal threat researcher at security firm SentinelOne, arrived at largely the same assessment.<\/p>\n<p>\u201cThe idea that six groups coming from the same region would independently discover the same chain of vulnerabilities and develop the same exploit is beyond unlikely,\u201d he wrote in a direct message. \u201cThe simpler explanation is that there&#8217;s (a) an exploit seller in common, (b) an unknown source (like a forum) available to all of these, or (c) a common entity that organizes these different hacking groups and provided them the exploit to ease their activities (say, China&#8217;s Ministry of State Security).\u201d<\/p>\n<h2>Naming names<\/h2>\n<p>The six groups ESET identified exploiting the vulnerabilities when they were still zero-days are:<\/p>\n<ul>\n<li><b>Hafnium:<\/b> The group, which Microsoft said is state sponsored and based in China, was exploiting the vulnerabilities by early January.<\/li>\n<li><b>Tick (also known as Bronze Butler and RedBaldKnight):<\/b> On February 28, two days before Microsoft issued patches, this group used the vulnerabilities to compromise the web server of an East Asian IT services company. Tick has been active since 2018 and targets organizations mostly in Japan but also in South Korea, Russia, and Singapore.<\/li>\n<li><b>LuckyMouse (APT27 and Emissary Panda):<\/b> On March 1, this cyber-espionage group known to have breached multiple government networks in Central Asia and the Middle East compromised the email server of a governmental entity in the Middle East.<\/li>\n<li><b>Calypso (with ties to <a href=\"https:\/\/st.drweb.com\/static\/new-www\/news\/2020\/july\/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf\">Xpath<\/a>):<\/b> On March 1, this group compromised the email servers of governmental entities in the Middle East and South America. In the following days, it went on to target organizations in Africa, Asia, and Europe. Calypso targets governmental organizations in these regions.<\/li>\n<li><b>Websiic:<\/b> On March 1, this APT, which ESET had never seen before, targeted mail servers belonging to seven Asian companies in the IT, telecommunications, and engineering sectors and one governmental body in Eastern Europe.<\/li>\n<li><b>Winnti (aka APT 41 and Barium):<\/b> Just hours before Microsoft released the emergency patches on March 2, ESET data shows this group compromising the email servers of an oil company and a construction equipment company, both based in East Asia.<\/li>\n<\/ul>\n<aside class=\"ad_wrapper\" aria-label=\"In Content advertisement\"> <span class=\"ad_notice\">Advertisement <\/span> <\/aside>\n<p>ESET said it saw four other groups exploiting the vulnerabilities in the days immediately following Microsoft&#8217;s release of the patch on March 2. Two unknown groups started the day after. Two other groups, known as Tonto and Mikroceen, began on March 3 and March 4, respectively.<\/p>\n<h2>China and beyond<\/h2>\n<p>Joe Slowik, senior security researcher at security firm DomainTools, published his <a href=\"https:\/\/www.domaintools.com\/resources\/blog\/examining-exchange-exploitation-and-its-lessons-for-defenders\">own analysis<\/a> on Wednesday and noted that three of the APTs&nbsp;that ESET saw exploiting the vulnerabilities ahead of the patches\u2014Tick, Calypso, and Winnti\u2014have previously been linked to hacking sponsored by the People\u2019s Republic of China. Two other APTs&nbsp;that ESET saw exploiting the vulnerabilities a day after the patches\u2014Tonto and Mikroceen\u2014also have ties to the PRC, the researcher said.<\/p>\n<p>Slowik produced the following timeline:<\/p>\n<figure class=\"image shortcode-img center large\"><a href=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2021\/03\/domain-tools-timeline.png\" class=\"enlarge\" data-height=\"469\" data-width=\"1200\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2021\/03\/domain-tools-timeline-640x250.png\" width=\"640\" height=\"250\" srcset=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2021\/03\/domain-tools-timeline.png 2x\"><\/a><figcaption class=\"caption\">\n<div class=\"caption-credit\">DomainTools<\/div>\n<\/figcaption><\/figure>\n<p>The timeline includes three exploitation clusters that security firm FireEye <a href=\"https:\/\/www.fireeye.com\/blog\/threat-research\/2021\/03\/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html\">has said<\/a> were exploiting the Exchange vulnerabilities since January. FireEye referred to the groups as UNC2639, UNC2640, and UNC2643 and didn\u2019t tie the clusters to any known APTs or say where they were located.<\/p>\n<p>Because different security firms use different names for the same threat actors, it&#8217;s not clear if the groups identified by FireEye overlap with those seen by ESET. If they were distinct, the number of threat actors exploiting the Exchange vulnerabilities prior to a patch would be even higher.<\/p>\n<h2>A range of organizations under siege<\/h2>\n<p>The tracking of the APTs came as the FBI and the Cybersecurity and Infrastructure Security Agency issued an <a href=\"https:\/\/www.ic3.gov\/Media\/News\/2021\/210310.pdf\">advisory<\/a> on Wednesday that said threat groups are exploiting organizations including local governments, academic institutions, non-governmental organizations, and business entities in a range of industries, including agriculture, biotechnology, aerospace, defense, legal services, power utilities, and pharmaceutical.<\/p>\n<p>\u201cThis targeting is consistent with previous targeting activity by Chinese cyber actors,\u201d the advisory stated. With security firm Palo Alto Networks <a href=\"https:\/\/unit42.paloaltonetworks.com\/remediation-steps-for-the-microsoft-exchange-server-vulnerabilities\/\">reporting<\/a> on Tuesday that an estimated 125,000 Exchange servers worldwide were vulnerable, CISA and FBI officials\u2019 call for organizations to patch took on an extra measure of urgency.<\/p>\n<p>Both ESET and security firm Red Canary have seen exploited Exchange servers that were infected with DLTMiner, a piece of malware that allows attackers to mine cryptocurrency using the computing power and electricity of infected machines. ESET, however, said it wasn\u2019t clear if the actors behind those infections had actually exploited the vulnerabilities or had simply taken over servers that had already been hacked by someone else.<\/p>\n<p>With so many of the pre-patch exploits coming from groups tied to the Chinese government, the hypothesis from SentinalOne\u2019s Guerrero-Saade\u2014that a PRC entity provided the exploits to multiple hacking groups ahead of the patches\u2014seems to be the simplest explanation. That theory is further supported by two other PRC-related groups\u2014Tonto and Mikroceen\u2014being among the first to exploit the vulnerabilities following Microsoft\u2019s emergency release.<\/p>\n<p>Of course, it\u2019s possible that the half-dozen APTs that exploited the vulnerabilities while they were still zero-days independently discovered the vulnerabilities and developed weaponized exploits. If that\u2019s the case, it\u2019s likely a first, and hopefully a last.<\/p>\n<p> READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/32097\/Vexing-Mystery-Surrounds-0-Day-Attacks-On-Exchange-Servers.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":39959,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[277],"tags":[8489],"class_list":["post-39958","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity-blogs","tag-headlinehackermicrosoftemaildata-lossflaw"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Vexing Mystery Surrounds 0-Day Attacks On Exchange Servers 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Vexing Mystery Surrounds 0-Day Attacks On Exchange Servers 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-03-11T15:05:55+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/03\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"800\" \/>\n\t<meta property=\"og:image:height\" content=\"534\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Vexing Mystery Surrounds 0-Day Attacks On Exchange Servers\",\"datePublished\":\"2021-03-11T15:05:55+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers\\\/\"},\"wordCount\":1361,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers.jpg\",\"keywords\":[\"headline,hacker,microsoft,email,data loss,flaw\"],\"articleSection\":[\"CyberSecurity Blogs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers\\\/\",\"name\":\"Vexing Mystery Surrounds 0-Day Attacks On Exchange Servers 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers.jpg\",\"datePublished\":\"2021-03-11T15:05:55+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers.jpg\",\"width\":800,\"height\":534},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,hacker,microsoft,email,data loss,flaw\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlinehackermicrosoftemaildata-lossflaw\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Vexing Mystery Surrounds 0-Day Attacks On Exchange Servers\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Vexing Mystery Surrounds 0-Day Attacks On Exchange Servers 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers\/","og_locale":"en_US","og_type":"article","og_title":"Vexing Mystery Surrounds 0-Day Attacks On Exchange Servers 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-03-11T15:05:55+00:00","og_image":[{"width":800,"height":534,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/03\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Vexing Mystery Surrounds 0-Day Attacks On Exchange Servers","datePublished":"2021-03-11T15:05:55+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers\/"},"wordCount":1361,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/03\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers.jpg","keywords":["headline,hacker,microsoft,email,data loss,flaw"],"articleSection":["CyberSecurity Blogs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers\/","url":"https:\/\/www.threatshub.org\/blog\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers\/","name":"Vexing Mystery Surrounds 0-Day Attacks On Exchange Servers 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/03\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers.jpg","datePublished":"2021-03-11T15:05:55+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/03\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/03\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers.jpg","width":800,"height":534},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/vexing-mystery-surrounds-0-day-attacks-on-exchange-servers\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,hacker,microsoft,email,data loss,flaw","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlinehackermicrosoftemaildata-lossflaw\/"},{"@type":"ListItem","position":3,"name":"Vexing Mystery Surrounds 0-Day Attacks On Exchange Servers"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/39958","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=39958"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/39958\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/39959"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=39958"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=39958"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=39958"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}