Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

SECURITY ALERT: Microsoft Exchange 0-Day Exploit Detection, Protection and Response

    • Updated:
    • 24 Mar 2021
    • Product/Version:
    • Apex Central All
    • Apex One (Mac)
    • Apex One All
    • Apex One as a Service
    • Cloud App Security
    • Cloud App Security For Office 365 All
    • Cloud Edge All
    • Cloud One - Application Security All
    • Cloud One - Application Security All
    • Cloud One - Container Security All
    • Cloud One - File Storage Security All
    • Cloud One - Network Security All
    • Cloud One - Workload Security All
    • Control Manager All
    • Deep Discovery Advisor All
    • Deep Discovery Email Inspector All
    • Deep Discovery Inspector All
    • Deep Edge
    • Deep Security All
    • Deep Security As A Service
    • Deep Security Azure Marketplace
    • Deep Security Smart Check
    • Hosted Email Security All
    • Instant Messaging Security All
    • Interscan Gateway Security Appliance All
    • Interscan Messaging Security Appliance All
    • InterScan Messaging Security Suite All
    • Interscan Messaging Security Virtual Appliance All
    • Interscan Web Security as a Service - Hybrid
    • Interscan Web Security Suite All
    • Interscan Web Security Virtual Appliance All
    • OfficeScan All
    • Portalprotect All
    • Safe Lock All
    • ScanMail for Exchange All
    • Security for Mac All
    • ServerProtect All
    • ServerProtect For EMC Celerra All
    • ServerProtect For Linux All
    • ServerProtect for Network Appliance Filer All
    • ServerProtect For Storage All
    • Smart Protection Complete All
    • Smart Protection For Endpoints All
    • Smart Protection Server All
    • TippingPoint Digital Vaccine
    • TippingPoint IPS N-series All
    • TippingPoint IPS NX-series All
    • TippingPoint IPS S-series All
    • TippingPoint Network Protection (AWS) All
    • TippingPoint Network Protection (Azure) All
    • TippingPoint SMS All
    • TippingPoint Threat Management Center
    • TippingPoint ThreatDV
    • TippingPoint TPS All
    • TippingPoint TX-Series All
    • TippingPoint Virtual SMS
    • TippingPoint Virtual TPS
    • Trend Micro Email Security All
    • Trend Micro Endpoint Sensor All
    • Trend Micro Vision One All
    • Trend Micro Web Security All
    • Worry Free Services for Dell All
    • Worry-Free Business Security Advanced All
    • Worry-Free Business Security Services All
    • Worry-Free Business Security Standard All
    • Worry-Free Plug-In - Security For MAC All
    • Worry-Free Remote Manager All
    • Platform:

March 24, 2021 Update:  Updates regarding detection for associated Black Kingdom ransomware have been added to the article.

March 10, 2021 - We are aware of some reports of the Microsoft Exchange Script flagging certain Trend Micro Deep Security Agent update files as suspicious due to the generic scanning of certain compression. We are attempting to work with Microsoft on this and customers may contact Trend Micro support for further assistance with file verifcation.
On March 2, 2021, Microsoft released a security advisory and emergency Out-of-Band (OOB) patches to address multiple 0-day exploits that appear to have actively attacked on-premises versions of Microsoft Exchange Server.

The affected versions of Microsoft Exchange Server are 2013, 2016 and 2019.
About the Attack

The four critical CVEs that were highlighted in the advisory include a network based server-side request forgery (SSRF) vulnerability, CVE-2021-26855, to gain a foothold and three post-authentication local vulnerabilities: CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

Researchers believe that these vulnerabilities were used in an attack chain that could gain access to an organization’s network via the compromised Exchange Server; access and extract sensitive information such as contents of entire email mailboxes and address books; as well as conducting further operations such as dumping credentials, manipulate Active Directory, and moving laterally within the environment.

In addition to Microsoft’s advisories and the following article, potentially affected customers are strongly encouraged to review the U.S. Government Cybersecurity & Infrastructure Security Agency (CISA) Alert AA21-062A for further guidance and information.

Determining if you are Affected

The Microsoft and CISA advisories have very detailed information on Indicators of Compromise (IOCs) and Tactics, Techniques and Procedures (TTPs) for this attack.

To assist Exchange administrators with investigation of their own servers, the Microsoft Exchange Server team has created a script  that can be run on Exchange servers to scan the logs for IOCs.

Customers who use on-premises versions of Microsoft Exchange Server 2013 and above are highly recommended to either use Microsoft's tool or other similar scripts to validate whether or not they have been affected.

As of March 15, 2021, Microsoft has released a one-click Exchange on-premises mitigation tool as an interim solution for customers who have not applied the formal security patched.  

In addition, customers can use certain Trend Micro products to investigate potential compromise.  More information can be found in the Using Trend Micro Products for Investigation section below. 

What if Indicators are Found?

As the attacker’s next steps could vary from one organization to the next, Trend Micro encourages a forensics investigation (with in-house personnel or a qualified incident response team) if evidence of the attack is found in a customer’s environment.

Protection against further Exploitation

First and foremost, it is highly recommended that all customers follow the guidance from Microsoft to patch their affected on-premises Exchange Servers as quickly as possible.

In addition to the vendor patch that should be applied, Trend Micro has released some supplementary rules and filters that can help provide protection and detection of malicious components associated with this attack for Exchange Servers that have not already been compromised or against further attempted attacks.

Microsoft has also provided some manual mitigation steps for customers that cannot yet patch that can be used in conjunction with some of the Trend Micro preventative technology below.


Using Trend Micro Products for Investigation

The following highlights several post-exploitation detections and remediation rules, filters, patterns and technology that can be used by customers to investigate and help with potential remediation in a customer’s environment.

Trend Micro Vision One™

Trend Micro Vision One customers benefit from XDR detection capabilities of the underlying products such as Apex One. In addition, depending on their data collection time range, Trend Micro Vision One customers may be able to sweep for IOCs retrospectively to identify if there was potential activity in this range to help in investigation.

Threat Intelligence Sweeping

Indicators for HAFNIUM and the associated Microsoft Exchange Server vulnerabilities are now included in the Threat Intelligence Sweeping function of Trend Micro Vision One.  Customers who have this enabled will now have the presence of the IOCs related to these threats added to their daily telemetry scans.


Utilizing Search Queries

In addition to the Threat Intelligence Sweeping function, Trend Micro Vision One customers can also leverage the powerful the Search App function to run a Data Mapping query for Endpoint Activity Data to look for evidence of compromise using the detailed IOC information from Microsoft.
Please note that with all the following searches, you can narrow the search to specific Exchange server(s) by using the following commands:

Your query AND endpointHostName:myExchangeServer
Your query AND endpointHostName:(myExchangeServer1 OR server2 OR server3)

Looking for child processes of c:\windows\system32\inetsrv\w3wp.exe (any or cmd.exe in particular)
Search Method: EndPoint Activity Data
  • processFilePath:"c:\\windows\\system32\\inetsrv\\w3wp.exe" AND objectFilePath:*
  • processFilePath:"c:\\windows\\system32\\inetsrv\\w3wp.exe" AND objectFilePath:cmd.exe
The following queries will also work:
  • parentFilePath:w3wp.exe AND objectFilePath:cmd.exe
  • parentFilePath:w3wp.exe AND processFilePath:*

Files written to the system by w3wp.exe or UMWorkerProcess.exe
Search Method:  EndPoint Activity Data
  • parentFilePath:(w3wp.exe OR UMWorkerProcess.exe) AND eventSubId: 101
Please note: event Sub 101 is file creation

ASPX files created by the SYSTEM user
Search Method:  EndPoint Activity Data
  • objectUser:SYSTEM AND objectFilePath:*.aspx

New, unexpected compiled ASPX files in the Temporary ASP.NET Files directory
Search Method:  EndPoint Activity Data
  • objectFilePath:("*\Temporary ASP.NET Files\*" AND \*aspx) AND eventSubId: 101
Please note: this query could be considered "noisy"


Searching for attacker use of the following command:  net group "Exchange Organization administrators" administrator /del /domain
Search Method:  General
  • ProcessName:net.exe AND CLICommand:((localgroup OR group) AND (Exchange AND /del))

Searching for attacker potential use of 7-zip for exfiltration on Exchange servers
Search Method:  General
  • processCmd:7z.exe AND endpointHostName:myExchangeServer

Looking for credential dump activity on Exchange servers
In addition to using the Search App, administrators can use the go into the Observed Attack Techniques section of the Trend Micro Vision One console and type dump into the filter. To narrow the scope, you can also add the specific exchange server name in the Endpoint name box to narrow the search.


Detailed information on the Search App, including query syntax and data mapping can be found in Trend Micro’s Online Help Center and additional queries will be updated in this article.

Trend Micro Worry-Free Business Security Services

Small business customers and other Service Providers using the Trend Micro Worry-Free Business Security Services platform can also leverage its built-in XDR capabilities to search for relevant indicators.

Trend Micro Cloud One – Workload Security and Deep Security Integrity Monitoring (IM) Rules

The following rule is a post-exploitation rule that can help detect known web shells used by attackers per Microsoft’s advisory:
  • 1010855 - Microsoft Exchange - HAFNIUM Targeted Vulnerabilities
Please note, that this rule establishes a baseline and then alerts of changes later – therefore depending on when the rule itself was deployed it could provide different data points. If deployed prior to compromise, it can help alert to potential changes and detection. However, even if the rule is deployed post-exploitation, there is still important data such as the list of monitored files in the directories available via the baseline viewer.

Trend Micro Cloud One – Network Security and TippingPoint ThreatDV Malware Detection Filters

The following are ThreatDV malware filters that look for relevant activity associated with the attack campaigns:
  • 39283 HTTP: Covenant Grunt Runtime Detection (Default Profile - Plaintext)
  • 39284 HTTP: Covenant Grunt Runtime Detection (Default profile - Base64 Encoded)
  • 39285 HTTP: Backdoor.Shell.Krypcoihilo.A Runtime Detection
  • 39255 HTTP: Trojan.Shell.SecChecker.A Runtime Detection
  • 39295 HTTP: Whafnium Webshell Payload Detected

The following are post-exploitation detection filters that look for relevant Chopper activity associated with the attack campaigns:
  • 26898: Tunneling: reGeorg SOCKS Proxy Checkin Traffic
  • 26899: Tunneling: reGeorg SOCKS Proxy Traffic Checkin Response
  • 26900: Tunneling: reGeorg SOCKS Proxy Sending Command Traffic
  • 34152: HTTP: China Chopper PHP Webshell Traffic Detected (My Script RunInBrowser Control Command)
  • 34153: HTTP: China Chopper PHP Webshell Traffic Detected (Control Commands)
  • 34154: HTTP: China Chopper ASP Webshell Traffic Detected (Control Commands)
  • 34257: HTTP: China Chopper ASPX Webshell Traffic Detected (Control Commands)
  • 35779: HTTP: China Chopper ASP/JSP Webshell Payload Detection
  • 36192: HTTP: China Chopper ASP Webshell Payload Only Detection
Preventative Rules and Filters

The following rules, filters and patterns can help customers to protect themselves against new or further exploitation attempts in combination with patching and/or other manual mitigation steps.

Trend Micro Cloud One – Workload Security and Deep Security IPS Rules
  • Rule 1010854 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26855)
  • Rule 1007170 - Identified Suspicious China Chopper Webshell Communication (ATT&CK T1100)

Trend Micro Cloud One – Network Security and TippingPoint IPS Filters
  • Filter 39101: HTTP: Microsoft Exchange Server-Side Request Forgery Vulnerability

Trend Micro Deep Discovery Inspector (DDI)
  • Rule 4527: CVE-2021-26855_HTTP_EXCHANGE_SSRF_EXPLOIT_SB

Trend Micro Malware Detection Patterns (VSAPI, Machine Learning, Behavioral Monitoring and WRS) for Endpoint, Servers, Mail & Gateway (e.g. Apex One, Deep Security w/Anti-malware, etc.)

Currently known malicious detections for associated web shells, malicious tools and other files:
  • Trojan.PS1.BOXTER.A
  • HackTool.PS1.PowerCat.A.
Trend Micro also has protection against the recently reported "DEARCRY" ransomware that is being reported to utilize these exploit - detected as Ransom.Win32.DEARCRY.THCABBA.

"Black Kingdom" ransomware that is now widely being reported to be associated with these exploits are being detected by Trend Micro as Ransom.Win64.BLACKKINGDOM.B.

In addition, Trend Micro is blocking several known malicious IP addresses and disease vectors associated with the campaign via Trend Micro Web Reputation Services (WRS).

Trend Micro is continuing to aggressively investigate other forms of detection and protection to assist our customers, but we do want to continue to reiterate that the primary recommendation is to apply the official Microsoft patches as soon as possible. We will continue to update this article and our customers if/when additional layers of protection become available.

Reference Links

Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.