Skip to main content

Client alert: Microsoft Exchange servers

Cyber Risk Management|Financial, Executive and Professional Risks (FINEX)

By Jason Krauss | March 22, 2021

Risk impacts and considerations from the recent incident involving Microsoft Exchange servers.

What happened exactly?

On March 2, 2021, Microsoft disclosed a critical vulnerability impacting on-premises Microsoft Exchange Servers, including 2010, 2013, 2016 and 2019 versions. Microsoft reported that internet facing servers, such as Outlook Web Access, were particularly at risk of compromise, permitting hackers to gain access to email accounts and the ability to install malware that might enable hackers to access those servers at a later time. Microsoft specified, however, that this vulnerability does not affect Office 365/Exchange Online mailboxes. Further, it has been reported by a variety of news sources, that the attack was carried out by Hafnium, a state sponsored Chinese hacking group and had been ongoing since January 6, the day of the capitol riot. At a high level, there are many similarities between this incident and the Solarwinds exploit in that it appears to be a highly sophisticated state sponsored actor who infiltrated networks and then installed a backdoor to gain ongoing access.

According to the Cybersecurity and Infrastructure Security Agency (CISA), exploiting this vulnerability enables the attacker to infiltrate systems and gain access to files and mailboxes. To date, according to a KrebsOnSecurity report, these vulnerabilities have led to over 30,000 U.S. governmental and commercial organizations having their emails hacked, as well as reports of tens of thousands of email server hacks. Security experts have indicated that the detection and cleanup process will be a massive effort for thousands of state and city governments, fire and police departments, school districts, financial institutions and other organizations that were affected.1

How could this impact you?

While Microsoft released patches to address vulnerabilities in Microsoft Exchange Servers on March 2, attackers had almost two months to carry out their operation from when the attack reportedly began on January 6. Through the exploit, the group is able to gain access to an organization’s exchange server either by using stolen account credentials or by using the vulnerabilities to appear as an authorized user. Further, hackers can control the compromised server remotely by creating a web shell, malicious code that gives attackers remote administrative access. The attackers can then utilize that remote access to steal data from an organization's network.2 The extent of the hacker’s access to systems can be significant, with every email sent, received and stored in every individual account potentially accessible. Even if an organization installed the required patch immediately, there is no assurance that the exploit hasn’t already been harvested prior to detection.

What precautions should you take?

To secure against this threat, CISA recommends organizations examine their systems, implement certain Tactics, Techniques and Procedures (TTCs) and look for Indicators of Compromise (IOC) associated with malicious activity. If an organization discovers exploitation activity, they should assume a network identity compromise and follow incident response procedures, as well as placing their cyber insurance carrier on notice. Your cyber insurance carrier will provide guidance on what steps to take to respond to this incident, including taking inventory of the data that may have been exposed. It is important to note that in general, reasonable suspicion of unauthorized access into an organization’s network triggers coverage for incident response expenses, including, but not limited to, the costs to hire an outside law firm, an IT forensics firm to determine the scope of the compromise, and a public relations firm. If it is determined that a compromise occurred, the law firm retained on your behalf should advise on your reporting obligations to clients and regulators.

Even if no evidence of an infiltration is uncovered, you should apply available patches immediately and implement the mitigations identified in this alert. As cloud-based email systems were not impacted by this incident, it is recommended that organizations consider utilizing cloud-based technology rather than on premise systems. Further, this incident should serve as yet another reminder that even large technology companies like Microsoft can be infiltrated. Technological safeguards only go so far. It is therefore a good time to review your cyber insurance coverage with your broker or to consider a risk transfer strategy if one is not already in place.

Why Willis Towers Watson

More than half of all cyber incidents begin with employees, so it’s a people problem. And the average data breach costs approximately $4 million, so it’s a capital problem, too. As a global leader in human capital solutions, risk advisory and broking, we are well prepared to assess your cyber vulnerabilities, provide innovative solutions and improve your ability to successfully recover from future attacks.





FINEX Cyber/E&O Thought and Product Leader


GB Head of FINEX Financial Institutions

Related Solutions

Contact Us