threatintel
actor tracker
Named attack · kill-chain walkthrough

ProxyLogon / Hafnium

Mass exploitation of on-premises Microsoft Exchange Server

Hafnium (Silk Typhoon)Jan 3 2021 – Mar 2021High confidence

Microsoft attributed the original campaign with high confidence to Hafnium, a PRC state-sponsored group operating from leased U.S.-based VPS infrastructure. In Microsoft's 2023 weather-system taxonomy Hafnium is folded into 'Silk Typhoon'.

A chain of four Exchange CVEs — no credentials required — let attackers bypass authentication, escalate to SYSTEM, and drop web shells on tens of thousands of internet-facing Exchange servers. Microsoft shipped out-of-band patches on March 2 2021; within hours, dozens of separate threat actors began mass-scanning unpatched servers. By some estimates 250,000+ Exchange servers were compromised globally before patching could catch up. Hafnium opened the door; the broader internet walked through it.

scene 00 / 07
CVE-2021-26855Pre-auth SSRFbypasses auth gateCVE-2021-26857UM Deserialization→ SYSTEMCVE-2021-26858File Write (1)post-authCVE-2021-27065File Write (2)post-auth← chained · no credentials required →Exchange Serveron-premises · OWA / ECP exposedVolexity: exploitation observed Jan 3 2021.aspx web shellChina Chopper variant/owa/auth/ · /ecp/\inetpub\wwwroot\aspnet_client\error.aspx\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspxT1505.003SYSTEMCVE-2021-26857 — UM service deserializationT1068 · full host control · LSASS / AD accessiblePowerShellGet-Mailbox · Get-MailboxStatisticsLDAP enumeration of AD users, groups, OUstargets: gov, defense, NGO, researchT1059.001 · T1087.002New-MailboxExportRequest → .pst staged on diskdownloaded via web shell HTTPS · T1114.002 · T1041patch day: March 2 2021↓ pile-on beginsHafnium opened the door — dozens of crews piled in.10+ APT groups (ESET) · ransomware · cryptominers · all exploiting the same 4 CVEsMar 2patches + disclosureMar 3CISA ED-21-02 · mass scanningMar 5~250,000 servers hit
  1. Phase 01 · Initial AccessTA0001

    CVE-2021-26855: pre-auth SSRF in Exchange bypasses every authentication gate

    • Volexity observed Hafnium exploiting Exchange zero-days from at least January 3, 2021 — two months before public disclosure.
    • CVE-2021-26855 is a pre-authentication Server-Side Request Forgery (SSRF) in the Exchange Client Access Service. Attackers send a crafted HTTP request containing a specially-formed cookie, causing Exchange to proxy the request to an internal back-end endpoint as if it were authenticated, without any credentials.
    • This SSRF is the 'ProxyLogon' core. It breaks the authentication boundary entirely — Exchange's front-end service passes the forged authentication context to back-end EWS or PowerShell endpoints.
    • Attack surface: any internet-exposed Exchange OWA or ECP endpoint on ports 443/80. No account, no phishing, no VPN required.
    • Once SSRF is in hand, the attacker chains it immediately to the file-write CVEs (see Persistence) to land a web shell in a single composite HTTP request sequence.
    Techniques
    T1190 · Exploit Public-Facing ApplicationT1071.001 · Application Layer Protocol: Web Protocols
    Indicators
    X-BEResource — HTTP cookie header used to trigger SSRF in CVE-2021-26855 — anomalous presence in IIS logs is an indicator
    Sources
  2. Phase 02 · ExecutionTA0002

    Web shells (China Chopper variants) give interactive command execution via HTTP

    • With file-write primitives established (see Persistence), attackers wrote .aspx web shell files into Exchange's OWA /auth/ directory and ECP static file directories, both of which are served directly by IIS.
    • The primary web shell family observed by Volexity and Microsoft was China Chopper variants — a minimal one-liner that passes a POST body to eval() — and custom ASPX shells with similar functionality.
    • The web shell accepts commands as Base64-encoded POST parameters and returns output over the same HTTPS channel, blending into Exchange's own TLS traffic.
    • This provides full Windows command execution on the Exchange server as the IIS application pool identity (NETWORK SERVICE by default, later escalated to SYSTEM via CVE-2021-26857).
    Techniques
    T1059.003 · Command and Scripting Interpreter: Windows Command ShellT1505.003 · Server Software Component: Web Shell
    Indicators
    \inetpub\wwwroot\aspnet_client\ — Common web shell drop path observed by Microsoft MSTIC\FrontEnd\HttpProxy\owa\auth\ — Exchange OWA auth directory — anomalous .aspx files here are a high-fidelity indicator
    Sources
  3. Phase 03 · PersistenceTA0003

    CVE-2021-26858 & CVE-2021-27065: post-auth file write drops the web shell

    • CVE-2021-26858 and CVE-2021-27065 are both post-authentication arbitrary file write vulnerabilities in Exchange. Neither requires a real account — the SSRF in CVE-2021-26855 supplies the authentication context.
    • The attack chain is: SSRF (26855) → authenticate as any user via the back-end → write a .aspx file to an arbitrary path via the file write primitive (26858 or 27065). The entire sequence can be executed unauthenticated in seconds.
    • Web shells written to OWA/ECP directories persist across Exchange service restarts because they are static files on disk, not in-memory artifacts.
    • Some Hafnium intrusions also abused Exchange service accounts post-escalation to maintain access (T1078) and registered new virtual directories.
    Techniques
    T1505.003 · Server Software Component: Web ShellT1078 · Valid AccountsT1190 · Exploit Public-Facing Application (chained file write)
    Sources
  4. Phase 04 · Privilege EscalationTA0004

    CVE-2021-26857: insecure deserialization in Unified Messaging escalates to SYSTEM

    • CVE-2021-26857 is an insecure deserialization vulnerability in the Exchange Unified Messaging service, which runs as SYSTEM.
    • A specially-crafted serialized .NET object sent to the UM service's RPC endpoint triggers deserialization of attacker-controlled code, resulting in arbitrary command execution as SYSTEM.
    • This does require authentication — but again, CVE-2021-26855 (SSRF) supplies that authentication for free, making the full SYSTEM escalation achievable unauthenticated in a single composed attack.
    • With SYSTEM, the attacker can read the Exchange service account password from LSASS or the registry, dump the Active Directory, install kernel-mode tools, and fully own the host.
    Techniques
    T1068 · Exploitation for Privilege EscalationT1055 · Process Injection (deserialization payload execution)
    Sources
  5. Phase 05 · DiscoveryTA0007

    PowerShell Get-Mailbox enumeration and LDAP queries identify high-value targets

    • Hafnium used the web shell to execute Exchange Management Shell (PowerShell) cmdlets, particularly Get-Mailbox and Get-MailboxStatistics, to enumerate all mailboxes and identify high-value targets (government officials, researchers, defense contractors, NGOs).
    • LDAP queries were issued against the local Active Directory to enumerate users, groups, and organizational units — all available to SYSTEM on an Exchange server that is typically a domain member.
    • Microsoft MSTIC noted that Hafnium's targeting was selective: the actor specifically sought email from infectious disease researchers, law firms, defense contractors, and policy think tanks.
    Techniques
    T1059.001 · Command and Scripting Interpreter: PowerShellT1087.002 · Account Discovery: Domain AccountT1018 · Remote System Discovery
    Sources
  6. Phase 06 · Collection & ExfiltrationTA0009

    Bulk PST/OST mailbox exports via Exchange's own cmdlets, exfiltrated over the web shell channel

    • Hafnium used New-MailboxExportRequest (an Exchange Management Shell cmdlet) to export entire mailboxes to .pst files on disk. This is a legitimate Exchange admin function — the audit trail is easy to miss.
    • Exported PST files were staged on the Exchange server's local disk or a UNC share, then downloaded through the web shell over HTTPS.
    • In some intrusions, Volexity observed Procdump being used to dump LSASS memory and Nishang PowerShell reverse shells to establish secondary outbound channels.
    • Exfiltration paths varied: direct web shell HTTP download, or Cobalt Strike beacons deployed in follow-on operations.
    Techniques
    T1114.002 · Email Collection: Remote Email CollectionT1041 · Exfiltration Over C2 ChannelT1003.001 · OS Credential Dumping: LSASS Memory
    Indicators
    procdump.exe — Sysinternals Procdump used by Hafnium for LSASS dumpingnishang — Nishang PowerShell framework used for reverse shells in some Hafnium intrusions
    Sources
  7. Phase 07 · Impact: Mass-Exploitation AftermathTA0040

    Patches shipped March 2 — within hours, dozens of actors were mass-shelling 250,000+ unpatched servers worldwide

    • Microsoft released out-of-band patches for all four CVEs on March 2, 2021. CISA issued Emergency Directive 21-02 the next day (March 3), ordering all federal agencies to patch or disconnect within days.
    • Despite the immediate disclosure, the patch rate could not keep up with the scanning rate. Within 24 hours of public disclosure, multiple independent threat actor groups — ransomware operators, cryptominers, and other espionage crews — began mass-scanning for vulnerable Exchange servers and dropping their own web shells, Cobalt Strike beacons, and ransomware.
    • ESET tracked at least 10 distinct APT groups exploiting the vulnerabilities in the days after disclosure. By early March estimates ranged from 125,000 to 250,000 compromised Exchange servers globally. By March 5, 2021, automated exploitation was widespread and indiscriminate.
    • Hafnium's original campaign was targeted and selective. The post-disclosure scramble by opportunistic actors is the defining disaster of this incident — the CVE chain's zero-authentication requirement made mass exploitation trivially scriptable.
    • CISA AA21-062A and Emergency Directive 21-02 document the government response. Long-term impact included ransomware deployment (Black Kingdom, DearCry) on Exchange servers that were shelled but not remediated.
    Techniques
    T1486 · Data Encrypted for Impact (ransomware follow-on)T1505.003 · Server Software Component: Web Shell (mass scale)T1190 · Exploit Public-Facing Application (mass scanning)
    Sources
Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary
  • Hafnium (Silk Typhoon)
Capability
  • T1190
  • T1071.001
  • T1059.003
  • T1505.003
  • T1078
  • +1 more
Infrastructure
Victim
  • See narrative above
Primary sources