Microsoft Exchange ProxyLogon (Hafnium)

On 2 March 2021, Microsoft released emergency out-of-band patches for four previously unknown vulnerabilities in on-premises Exchange Server and attributed their active exploitation to a China state-sponsored group it named Hafnium. The vulnerability chain — collectively known as ProxyLogon — let an unauthenticated attacker take full control of an Internet-facing Exchange server, read every mailbox, and plant a persistent backdoor.

The vulnerabilities

ProxyLogon was an exploit chain across four CVEs:

• CVE-2021-26855 — a server-side request forgery (SSRF) flaw allowing an unauthenticated attacker to send crafted requests and authenticate as the Exchange server. This was the keystone.
• CVE-2021-26857 — an insecure deserialization flaw in the Unified Messaging service enabling code execution as SYSTEM.
• CVE-2021-26858 and CVE-2021-27065 — post-authentication arbitrary file-write flaws that, combined with the SSRF, let attackers write a web shell anywhere on the server.

Chained together, these turned a reachable Exchange server into a fully attacker-controlled system requiring no valid credentials.

What happened

Hafnium operators exploited the chain to drop ASP-based web shells (such as the widely-tracked "China Chopper" variants), then used that foothold to dump LSASS memory for credentials, export mailboxes, and compress data with 7-Zip for exfiltration. Microsoft characterised the initial Hafnium activity as limited and targeted, focused on U.S. defense contractors, law firms, higher-education institutions, infectious-disease researchers, and think tanks.

The disaster came after disclosure. Once the patch and indicators were public, at least ten distinct threat groups reverse-engineered the fix and launched indiscriminate mass scanning, racing to compromise unpatched servers before administrators could act. Within days an estimated 60,000+ organisations worldwide were compromised, many left with persistent web shells even after patching, because the patch closed the hole but did not remove backdoors already planted.

Response

• CISA issued Emergency Directive 21-02 on 3 March, ordering federal agencies to patch or disconnect affected servers.
• Microsoft released a one-click mitigation tool and a safety scanner to help smaller organisations.
• On 13 April 2021, the U.S. DOJ disclosed a court-authorised FBI operation that proactively removed web shells from hundreds of compromised U.S. servers — a notable instance of law enforcement remediating private systems directly.
• The DearCry ransomware family began exploiting the same flaws within days, turning espionage infrastructure into a ransomware vector.

Why it matters

ProxyLogon is the defining mass-exploitation event of 2021 and a textbook study of patch-gap dynamics: the window between public disclosure and patch deployment became a feeding frenzy in which the very information meant to protect defenders armed dozens of attackers. It hardened industry consensus that internet-facing mail infrastructure is a top-tier target, accelerated migration from on-premises Exchange to managed cloud, and reinforced that patching alone is insufficient — once a server is breached, defenders must hunt for and evict the persistence the attacker has already established.