How to Deal with the Hafnium Attack on Microsoft Exchange Server?

Aftab Alam
Aftab Alam linkedin | Updated On - December 02, 2022 |

Read time 4 minutes

The critical data of business organizations is always vulnerable to external and internal threats, and the administrator tries to minimize such threats. Generally, the managers can train their employees to follow the security protocols and manage internal threats. Still, external cyberattacks are committed by hackers who use different tactics to enter your network.

Recently, Microsoft Threat Intelligence Center (MSTIC) found a new cyberattack with 0-day exploits that target the on-premises Exchange Server accounts and infiltrate the network. After entering the network, it can install some malware and remain in the system for a long period. MSTIC has found the source of the attack as the HAFNIUM group that is a group of hackers supported by China. You can consider it as a state-sponsored veiled attacking group that uses several tactics to steal or intimidate the businesses.

What is the HAFNIUM group?

The HAFNIUM group mainly targets various types of businesses based in the United States. These businesses are various law firms, higher education institutions, defense companies, think tanks, non-government organizations, infectious disease researching facilities, serum manufacturers, etc.

HAFNIUM group operates within the United States through various leased Virtual Private Servers. Earlier, it used to infiltrate the network through their internet-facing servers. It uses some legitimate applications like Covenant’s command prompt to gain entrance. Once it enters the network, they copy the data and paste it to the data sharing sites like Mega upload.

Recently, Microsoft found out that the HAFNIUM group is targeting their Exchange Server customers. The majority of the time, they are unable to change the user account settings, but they steal the data and make it public.

Details of network vulnerabilities

Microsoft has identified some loopholes in various points of the network that HAFNIUM uses to enter the network. Microsoft has also given the security patch for each loophole to protect the Exchange Server from future attacks.

  • CVE-2021-26855 – It is a code that denotes the server-side request forgery vulnerability in on-premises Exchange Server that the hacker uses to send genuine-looking HTTP requests, and Exchange Server finds it as a genuine client request.
  • CVE-2021-26857 – It is the insecure deserialization vulnerability present in the Unified Messaging service section. By making use of this vulnerability, the hackers gain the ability to run code in the Exchange Server.
  • CVE-2021-26858 – It is a post-authentication arbitrary file write vulnerability of the on-premises Exchange Server. When the HAFNIUM hacker can authenticate its query, they can write a new file at any folder or path in the server. It is a crucial vulnerability because it can alter the administrator’s genuine credentials and thus affecting each Exchange user.
  • CVE-2021-27065 – It is another post-authentication arbitrary file write vulnerability that the HAFNIUM hackers use to authenticate their queries. It gives more direct access to write a new file at any folder or path in the server.
How to find if Exchange Server is breached?

There are several indicators, checking points, log files, and advanced hunting queries that you can run on Exchange Shell to find the problem. The Exchange administrators are encouraged by Microsoft to run all these queries and check for the symptoms of the problem.

  1. Check the Exchange HttpProxy logs (CVE-2021-26855)

    The Exchange HttpProxy logs are present are the Program File folder in Exchange Server.

    Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy

    At the given log files, check the AuthenticatedUser entries are empty, and the AnchorMailbox has the pattern of ServerInfo~*/*.

  2. Check the Exchange log files (CVE-2021-26858)

    Find the Exchange logfiles at the location:

    Program Files\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog
    Program Files\Microsoft\Exchange Server\V15\ClientAccess\OAB\Temp directory

    If you see that log files are downloaded to other directories, then it means that the HAFNIUM hackers have infiltrated your system.

  3. Check Windows Application event logs (CVE-2021-26857)

    The hacker bug will create the deserialization with the following properties-

    Source: MSExchange Unified Messaging
    EntryType: Error
    Event Message Contains: System.InvalidCastException
  4. Repair the corrupt Exchange database file

    The HAFNIUM attack is meant to steal, modify, or delete the data. It can easily destroy the whole data of your business and corrupt it beyond repair. In such a situation, you can try the ESEUTIL tool to repair EDB. However, the ESEUTIL tool cannot repair severely affected database files. So, you can try professional Exchange data recovery solutions to recover the lost or missing Exchange data completely from inaccessible EDB files. The best tool you can try is Kernel for Exchange Server. With this tool, you can save the recovered data to Office 365 as well (in addition to live Exchange).


Microsoft has handled the HAFNIUM attack well and upgraded the security patches of the Exchange Server. But, if the database is corrupt, then you should repair it as soon as possible. Kernel for Exchange Server is the Exchange Recovery tool that will repair the Exchange Database (EDB) file and help you save the recovered items. You can save the recovered items in live Exchange Server or Office 365.

Kernel for Exchange Server