← Back to Cybersecurity News Center
Severity
MEDIUM
CVSS
5.0
Priority
0.150
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
U.S. authorities have extradited a Chinese national linked to the Silk Typhoon (Hafnium) espionage group, formally connecting the group to China's Shanghai State Security Bureau and a commercial front company. The campaign targeted COVID-19 research institutions and exploited Microsoft Exchange Server zero-days between 2020 and 2021. Organizations that ran unpatched Exchange servers during that window should treat this as a confirmation of the threat actor's capabilities and revisit historical logs for signs of compromise.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
MEDIUM
Medium severity — monitor and assess
Actor Attribution
HIGH
Silk Typhoon, Hafnium
TTP Sophistication
HIGH
11 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Microsoft Exchange Server (2019 and earlier versions vulnerable during 2020-2021 campaign window)
Are You Exposed?
⚠
Your industry is targeted by Silk Typhoon, Hafnium → Heightened risk
⚠
You use products/services from Microsoft Exchange Server (2019 and earlier versions vulnerable during 2020-2021 campaign window) → Assess exposure
⚠
11 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
The formal legal attribution of Silk Typhoon to Chinese state intelligence confirms that the 2020–2021 Exchange exploitation campaign was directed espionage, not opportunistic crime. Organizations in research, biotech, defense contracting, or government that operated Exchange Server during that window face residual risk — persistent access via valid credentials or web shells may not have been detected or fully eradicated. Regulatory exposure is highest for organizations subject to research data protection obligations or federal contracting cybersecurity requirements (CMMC, FISMA), where undetected historical compromise carries both compliance and reputational consequences.
You Are Affected If
You ran Microsoft Exchange Server 2019 or earlier in production between February 2020 and June 2021
Your Exchange environment was internet-facing without WAF or IPS during that window
You have not conducted a post-ProxyLogon/ProxyShell forensic review of IIS logs and Exchange virtual directories
Your organization operates in a sector targeted by Silk Typhoon: COVID-19 research, biotech, defense, law firms, or government
You have not rotated service account credentials associated with Exchange since early 2021
Board Talking Points
A U.S. court has formally tied the Chinese government's intelligence service to a 2020–2021 cyberattack campaign that compromised Microsoft Exchange servers at research and government institutions.
Organizations that ran Exchange Server during that period should commission a targeted forensic review of historical logs to confirm no persistent access remains — this should be completed within 30 days.
Without that review, organizations cannot rule out that Chinese state-sponsored actors retained access to email, research data, or internal systems — a risk with significant legal, regulatory, and reputational consequences.
Technical Analysis
The indictment attributes the 2020-2021 Silk Typhoon (Hafnium) Exchange exploitation campaign to MSS operator Xu Zewei and the Shanghai State Security Bureau (SSSD), operating through front company Powerock Network.
The campaign exploited Microsoft Exchange Server zero-days consistent with the ProxyLogon and ProxyShell vulnerability chains, covering CWE-287 (improper authentication), CWE-502 (deserialization of untrusted data), and CWE-78 (OS command injection).
Affected versions: Exchange Server 2010 through 2019 (versions unpatched as of March-April 2021 for ProxyLogon; August 2021 for ProxyShell).
MITRE ATT&CK techniques observed include T1190 (Exploit Public-Facing Application), T1505.003 (Web Shell), T1059 (Command and Scripting Interpreter), T1560 (Archive Collected Data), T1078 (Valid Accounts), T1213 (Data from Information Repositories), T1071 (Application Layer Protocol), T1591 /T1589 (Gather Victim Information), T1583.001 (Acquire Infrastructure: Domains), and T1588.006 (Obtain Capabilities: Vulnerabilities). No new CVEs or patches are associated with this indictment; the legal action advances attribution, not new technical disclosure. Exchange Server 2019 remains actively patched; the August 2025 update (KB5063221, latest as of that date) and December 2025 security updates are the current baselines per Microsoft and CISA.
Action Checklist IR ENRICHED
Triage Priority:
URGENT
Escalate immediately to legal counsel, senior leadership, and potentially CISA (via report@cisa.gov) if historical Exchange IIS log analysis confirms POST requests to /ecp/DDI/ or /owa/auth/Current/ from external IPs during February 2020–June 2021, if unauthorized ASPX files are found in Exchange virtual directories, if mailbox forwarding rules to external domains are discovered, or if the organization falls within Silk Typhoon's documented targeting scope (COVID-19 research, biotech, defense, or federal contractors) — any of these conditions may trigger HIPAA breach notification, FISMA incident reporting, or CIRCIA obligations depending on sector.
1
Step 1: Containment — Confirm all Exchange Server 2019 and earlier instances have current cumulative updates applied. Verify no unauthorized ASPX web shells remain in IIS virtual directories (OWA, ECP, Autodiscover). Place internet-facing Exchange behind a reverse proxy to restrict direct exposure. (Cite: NIST AC-4 — Information Flow Enforcement / CIS 4.4 — Implement and Manage a Firewall on Servers / D3-PBWSAM — Proxy-based Web Server Access Mediation)
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy: Choose a containment strategy based on criteria such as potential damage, evidence preservation needs, and service availability requirements.
NIST IR-4 (Incident Handling)
NIST SI-2 (Flaw Remediation)
NIST SI-7 (Software, Firmware, and Information Integrity)
CIS 7.3 (Perform Automated Operating System Patch Management)
CIS 4.4 (Implement and Manage a Firewall on Servers)
Compensating Control
Run Microsoft's Exchange On-Premises Mitigation Tool (EOMT.ps1) — a free, Microsoft-provided script that applies URL rewrite mitigations for ProxyLogon and scans IIS virtual directories for known web shell signatures. Enumerate all ASPX files under Exchange virtual paths with: Get-ChildItem -Recurse -Path 'C:\inetpub\wwwroot\aspnet_client\', 'C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\', 'C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\ecp\' -Filter '*.aspx' | Select FullName, LastWriteTime, Length | Export-Csv webshell_audit.csv. Cross-reference output hashes against known Hafnium web shell hashes published in CISA Alert AA21-062A using Get-FileHash.
Preserve Evidence
Before patching or removing files, image or snapshot the Exchange server. Preserve: (1) Full contents of IIS virtual directories — specifically C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\ and C:\inetpub\wwwroot\aspnet_client\ — where Hafnium staged web shells such as 'web.aspx', 'healthcheck.aspx', and randomized-name ASPX files post-ProxyLogon exploitation. (2) IIS application pool identity tokens and W3WP.exe process memory dumps if web shell activity is suspected active. (3) Windows NTFS $MFT and $LogFile entries to establish file creation timestamps for any ASPX artifacts, distinguishing attacker-dropped files from legitimate Exchange components. (4) Exchange transport queue database (mail.que) for evidence of data staging or exfiltration via internal mail relay — a documented Hafnium TTPs.
2
Step 2: Detection — Search Exchange IIS logs (W3SVC1, W3SVC2) from February 2020 through June 2021 for anomalous POST requests to /owa/auth/Current/, /ecp/DDI/, and /autodiscover/autodiscover.json from external IPs without preceding authenticated sessions. Hunt for ASPX files created outside normal Exchange installation paths. Review Windows Security Event IDs 4624 (Logon Type 3/8), 4625, and 4648 for unexpected source IPs against Exchange service accounts. Anchor SIEM queries on MITRE T1505.003 and T1078. (Cite: NIST AU-2 — Event Logging / NIST AU-6 — Audit Record Review, Analysis, And Reporting / CIS 8.2 — Collect Audit Logs / D3-SFA — System File Analysis / D3-LAM — Local Account Monitoring)
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis: Analyze all available precursors and indicators, including logs, error messages, and IDS/IPS alerts, correlating them across multiple sources to establish scope.
NIST IR-5 (Incident Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST AU-12 (Audit Record Generation)
NIST SI-4 (System Monitoring)
CIS 8.2 (Collect Audit Logs)
Compensating Control
Parse Exchange IIS logs (default path: C:\inetpub\logs\LogFiles\W3SVC1\) using PowerShell without a SIEM: Import-Csv -Path (Get-ChildItem 'C:\inetpub\logs\LogFiles\W3SVC1\' -Filter '*.log' | Where-Object {$_.LastWriteTime -gt '2020-02-01' -and $_.LastWriteTime -lt '2021-06-30'}).FullName -Delimiter ' ' | Where-Object {$_.{'cs-uri-stem'} -match '/owa/auth/Current/|/ecp/DDI/|/autodiscover/autodiscover.json' -and $_.{'cs-method'} -eq 'POST'} | Select-Object date, time, 'c-ip', 'cs-uri-stem', 'sc-status' | Export-Csv hafnium_hits.csv. Deploy the free Sigma rule 'win_exchange_proxylogon_webshell' (available in the SigmaHQ repository) against Windows Event Log using Chainsaw (free, Rust-based log scanner) for hosts where IIS logs have been rotated or deleted. Cross-reference source IPs against known Hafnium infrastructure published in CISA AA21-062A and Microsoft MSTIC blog (March 2021).
Preserve Evidence
Preserve the following before log rotation overwrites entries: (1) IIS W3SVC1 and W3SVC2 log files spanning February 2020–June 2021 in original format — Hafnium ProxyLogon exploitation produces a distinctive two-stage HTTP pattern: an initial unauthenticated POST to /ecp/DDI/DDIService.svc/GetObject followed by a second POST to /owa/auth/Current/ delivering the web shell payload. (2) Exchange HttpProxy logs at C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\ — these capture backend request routing and reveal the SSRF component of ProxyLogon (CVE-2021-26855) where the attacker spoofed the X-AnonResource-Backend header to reach the backend Exchange endpoint as SYSTEM. (3) Exchange ECP server logs at C:\Program Files\Microsoft\Exchange Server\V15\Logging\ECP\Server\ for evidence of unauthorized OAB (Offline Address Book) virtual directory writes, which Hafnium used to stage web shells via CVE-2021-27065. (4) Windows Security Event Log Event ID 4688 (Process Creation) filtered on W3WP.exe spawning cmd.exe, powershell.exe, or certutil.exe — the characteristic pattern of a web shell executing OS commands under the Exchange application pool identity.
3
Step 3: Eradication — Apply all current Exchange Server cumulative security updates per Microsoft's patch cadence (CIS 7.3, 7.4). Remove any unauthorized ASPX files from Exchange virtual directories. Rotate credentials for all service accounts with Exchange access — Silk Typhoon used T1078 (Valid Accounts) for persistence. Disable or remove dormant service and administrative accounts identified during investigation. (Cite: NIST AC-2 — Account Management / CIS 7.3 — Perform Automated Operating System Patch Management / CIS 7.4 — Perform Automated Application Patch Management / CIS 5.3 — Disable Dormant Accounts / D3-CRO — Credential Rotation)
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication: After containing the incident, eradicate the cause by deleting malware, disabling breached accounts, and mitigating exploited vulnerabilities to prevent recurrence.
NIST IR-4 (Incident Handling)
NIST SI-2 (Flaw Remediation)
NIST SI-3 (Malicious Code Protection)
NIST IA-5 (Authenticator Management) — implied by credential rotation requirement
CIS 5.2 (Use Unique Passwords)
CIS 5.4 (Restrict Administrator Privileges to Dedicated Administrator Accounts)
CIS 7.4 (Perform Automated Application Patch Management)
Compensating Control
For credential rotation without enterprise PAM tooling: (1) Export all Exchange service accounts via Get-ADServiceAccount -Filter * | Select Name, SamAccountName, LastLogonDate and cross-reference against accounts with Exchange Organization Management or Server Management role group membership via Get-RoleGroupMember. (2) Use the free tool 'BloodHound CE' (community edition) to map which accounts Silk Typhoon may have pivoted through using valid credential reuse — specifically look for accounts that authenticated to Exchange over EWS or MAPI during the 2020–2021 window as captured in Exchange Message Tracking logs. (3) After rotating credentials, deploy YARA rule sets from the CISA AA21-062A advisory against the Exchange installation directory to confirm no residual web shell variants remain before restoring full service.
Preserve Evidence
Before credential rotation or file deletion, collect: (1) Active Directory replication metadata for Exchange service accounts — specifically pwdLastSet, LastLogonTimestamp, and adminCount attributes — to establish whether Silk Typhoon elevated privileges using T1078 by modifying account properties rather than resetting passwords, a forensically significant distinction. (2) Exchange Management Shell audit logs at C:\Program Files\Microsoft\Exchange Server\V15\Logging\CmdletInfra\ — Hafnium operators executed Exchange PowerShell cmdlets (New-ExchangeCertificate, Set-OabVirtualDirectory) to reconfigure OAB virtual directories as part of CVE-2021-27065 exploitation; these cmdlet logs capture operator commands with timestamps. (3) Windows Security Event Log Event IDs 4720 (account created), 4732 (member added to security-enabled local group), and 4728 (member added to global security group) for the 2020–2021 window — Silk Typhoon created backdoor accounts for T1078 persistence that may persist in disabled state. (4) LSASS memory dump (using ProcDump: procdump.exe -ma lsass.exe lsass.dmp) if active credential theft is suspected — preserve before credential rotation invalidates the forensic baseline.
4
Step 4: Recovery — Validate Exchange server integrity by reviewing IIS configuration and application paths against known-good baselines (D3-SICA). Monitor Exchange Application and Security event logs for recurrence of anomalous authentication patterns. Confirm no unauthorized mailbox forwarding rules or delegation persists (T1213 indicator). Enforce least privilege on all Exchange service and administrative accounts. (Cite: NIST AC-6 — Least Privilege / NIST AU-6 — Audit Record Review, Analysis, And Reporting / CIS 5.4 — Restrict Administrator Privileges to Dedicated Administrator Accounts / D3-SICA — System Init Config Analysis / D3-UAP — User Account Permissions)
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery: Restore systems to normal operation, confirm systems are functioning normally, and implement additional monitoring to watch for recurrence of compromise.
NIST IR-4 (Incident Handling)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST AU-3 (Content of Audit Records)
NIST SI-6 (Security and Privacy Function Verification)
CIS 8.2 (Collect Audit Logs)
CIS 6.2 (Establish an Access Revoking Process)
Compensating Control
Audit Exchange mailbox forwarding rules and delegate access without a third-party tool using: (1) Get-Mailbox -ResultSize Unlimited | Get-InboxRule | Where-Object {$_.ForwardTo -ne $null -or $_.ForwardAsAttachmentTo -ne $null -or $_.RedirectTo -ne $null} | Select MailboxOwnerID, Name, ForwardTo, RedirectTo — Silk Typhoon established forwarding rules to exfiltrate COVID-19 research email to external addresses. (2) Get-MailboxPermission -Identity * | Where-Object {$_.AccessRights -eq 'FullAccess' -and $_.IsInherited -eq $false} to detect unauthorized mailbox delegation added for persistent T1213 collection access. (3) Deploy Sysmon with a configuration tuned to Event ID 3 (Network Connection) filtering on W3WP.exe or UMWorkerProcess.exe making outbound connections to non-Microsoft IP ranges — an indicator of active web shell C2 or data exfiltration resuming post-recovery.
Preserve Evidence
Before declaring recovery complete, collect and preserve: (1) Exchange Message Tracking logs (Get-MessageTrackingLog -Start '2020-02-01' -End '2021-06-30' -EventID SEND) filtered for messages sent to external domains from high-value mailboxes — these establish the data exfiltration scope specific to the Silk Typhoon COVID-19 research targeting documented in the indictment. (2) Exchange Mailbox Audit logs (if enabled) from O365 Unified Audit Log or on-premises equivalent, specifically MailboxLogin, SendAs, and MailItemsAccessed operations, which can confirm whether Silk Typhoon accessed specific research mailboxes consistent with their documented targeting of biotech and COVID-19 institutions. (3) Network flow data (NetFlow/IPFIX) for Exchange server outbound connections during the 2020–2021 window — Hafnium exfiltrated data to US-based cloud infrastructure (specifically Vultр and Choopa VPS providers as documented by Microsoft MSTIC) and this pattern is forensically distinguishable from legitimate Exchange traffic.
5
Step 5: Post-Incident — This indictment confirms MSS-linked actors use commercial cutouts and maintained persistent access via valid credentials after initial exploitation. Review whether your organization falls within Silk Typhoon targeting scope (COVID-19 research, biotech, defense, government). Update threat model to account for T1591/T1589 pre-compromise reconnaissance. Enforce MFA on all externally-exposed Exchange and administrative interfaces. Ensure audit log retention covers the full 2020–2021 campaign window for retrospective analysis. Establish account inventory review cadence. (Cite: NIST AU-11 — Audit Record Retention / NIST AC-2 — Account Management / CIS 5.1 — Establish and Maintain an Inventory of Accounts / CIS 6.3 — Require MFA for Externally-Exposed Applications / CIS 6.5 — Require MFA for Administrative Access / D3-MFA — Multi-factor Authentication / D3-CH — Credential Hardening)
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity: Conduct lessons learned meetings, update IR plans and detection capabilities based on findings, and share threat intelligence to improve the broader community's posture.
NIST IR-4 (Incident Handling)
NIST IR-8 (Incident Response Plan)
NIST RA-3 (Risk Assessment) — implied by threat model update requirement
NIST SI-5 (Security Alerts, Advisories, and Directives)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 7.2 (Establish and Maintain a Remediation Process)
CIS 4.4 (Implement and Manage a Firewall on Servers)
Compensating Control
For organizations without enterprise threat intelligence platforms: (1) Subscribe to CISA's free CISA Automated Indicator Sharing (AIS) feed and cross-reference your DNS query logs and firewall egress logs against Silk Typhoon IOCs from AA21-062A and the March 2021 Microsoft MSTIC Hafnium blog post — both are freely available and contain IP ranges and domains used by MSS cutout infrastructure. (2) Use SpiderFoot HX (free community edition) or Maltego CE to assess your organization's external attack surface as Silk Typhoon would have seen it via T1591 reconnaissance — enumerate internet-facing Exchange OWA endpoints, autodiscover DNS records, and certificate transparency logs that would have identified your Exchange version pre-exploitation. (3) Implement ModSecurity (free WAF) with the OWASP CRS ruleset in front of Exchange OWA if a commercial WAF is not available — specifically enable rules targeting SSRF patterns (REQUEST-934-APPLICATION-ATTACK-GENERIC) that would detect ProxyLogon-style X-AnonResource-Backend header manipulation.
Preserve Evidence
For the post-incident review, compile and retain: (1) A complete timeline correlating IIS log anomalies, ECP cmdlet audit entries, and AD account modification events — this is the evidentiary foundation for any regulatory notification determination (HIPAA breach notification if COVID-19 research involved PHI; FISMA reporting if the organization is a federal contractor). (2) DNS query logs from the 2020–2021 window for lookups resolving to Hafnium-attributed infrastructure as documented in CISA AA21-062A — passive DNS evidence of pre-exploitation reconnaissance via T1590/T1591 may establish the attacker's dwell time beginning before the first observed IIS log anomaly. (3) Any threat intelligence sharing submissions to CISA's CIRCIA reporting portal or Information Sharing and Analysis Centers (ISACs) relevant to your sector — the Silk Typhoon indictment specifically names biotech, defense, and government verticals, making sector-level intelligence sharing both operationally valuable and potentially required under emerging CIRCIA regulations.
Recovery Guidance
After eradication is confirmed, restore Exchange to full internet-facing operation only after WAF or reverse proxy (e.g., nginx with ModSecurity) is positioned in front of OWA and ECP endpoints, and only after all Exchange virtual directory configurations have been validated against Microsoft's Exchange Health Checker script output (free tool from Microsoft GitHub). Maintain elevated monitoring of Exchange IIS logs, Windows Security Event IDs 4625/4648/4672, and mailbox delegation changes for a minimum of 90 days post-recovery, given Silk Typhoon's documented use of T1078 (Valid Accounts) for long-duration persistence that survived initial patching cycles during the 2020–2021 campaign. Given the MSS attribution and nation-state TTPs confirmed in the indictment, organizations in targeted sectors should treat any re-emergence of anomalous Exchange authentication patterns as a potential re-entry attempt and re-initiate the full IR lifecycle rather than treating it as routine noise.
Key Forensic Artifacts
IIS W3SVC1/W3SVC2 log files (C:\inetpub\logs\LogFiles\) spanning February 2020–June 2021: the forensic signature of Silk Typhoon ProxyLogon exploitation is a two-stage unauthenticated POST sequence — first to /ecp/DDI/DDIService.svc/GetObject (CVE-2021-26855 SSRF trigger) followed by a POST to /owa/auth/Current/ or /owa/auth/<randomname>.aspx (web shell delivery via CVE-2021-27065 OAB virtual directory write), distinguishable from legitimate Exchange traffic by the absence of a valid session cookie in the SSRF request.
Exchange HttpProxy logs (C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\): capture the backend SSRF routing component of CVE-2021-26855 where Hafnium manipulated the X-AnonResource-Backend and X-BEResource cookie headers to authenticate to the backend Exchange endpoint as NT AUTHORITY\SYSTEM — these logs contain the spoofed backend URL values that are absent from standard IIS logs and are the most precise forensic indicator of ProxyLogon exploitation versus other Exchange attack types.
Exchange ECP server logs (C:\Program Files\Microsoft\Exchange Server\V15\Logging\ECP\Server\) and CmdletInfra logs (C:\Program Files\Microsoft\Exchange Server\V15\Logging\CmdletInfra\): record the execution of Set-OabVirtualDirectory and New-ExchangeCertificate cmdlets used in CVE-2021-27065 exploitation to write attacker-controlled ASPX content to the OAB virtual directory — these cmdlet audit entries establish the precise timestamp of web shell installation and the Exchange identity under which the commands executed.
NTFS $MFT (Master File Table) and $LogFile from the Exchange server volume: provide byte-level creation and modification timestamps for ASPX files dropped in Exchange virtual directories, enabling timeline reconstruction that distinguishes Silk Typhoon-staged web shells (typically created within minutes of the /ecp/DDI/ log entries) from legitimate Exchange application files — recoverable even if the attacker deleted the ASPX file post-exfiltration using free tools such as Autopsy or Eric Zimmerman's MFTECmd.
Active Directory event logs (Windows Security Event IDs 4720, 4728, 4732, 4738) and Exchange Management Shell audit logs for the 2020–2021 window: Silk Typhoon created local and domain accounts and added them to Exchange role groups (specifically Organization Management) for T1078 persistent access after initial web shell deployment — these event log entries, combined with AD replication metadata (repadmin /showrepl and Get-ADUser with PasswordLastSet/WhenCreated attributes), establish the full persistence timeline beyond the initial exploitation foothold.
Detection Guidance
Primary hunting surface is Exchange IIS logs (W3SVC1, W3SVC2) covering February 2020 through June 2021.
Per NIST AU-2 (Event Logging), confirm that authentication events, HTTP request logs, file system changes, and process execution events were captured during this window.
Per NIST AU-3 (Content Of Audit Records), validate that log entries include source IP, timestamp, user identity, and request path — fields required to identify ProxyLogon and ProxyShell exploitation patterns.
Hunt for POST requests to /owa/auth/Current/themes/resources/, /ecp/DDI/DDIService.svc/, and /autodiscover/ endpoints from external IPs with no preceding authenticated session. Per NIST AU-6 (Audit Record Review, Analysis, And Reporting), review and analyze these records for indicators of T1190 (Exploit Public-Facing Application) and T1505.003 (Server Software Component: Web Shell). Apply D3-SFA (System File Analysis) to scan Exchange virtual directories — %ExchangeInstallPath%FrontEnd\HttpProxy and ClientAccess paths — for ASPX files created outside normal installation context. Apply D3-FMBV (File Magic Byte Verification) to flag files whose extension does not match their actual file type, a technique used to obscure web shell payloads. In Windows Security logs, hunt for Event ID 4624 (Logon Type 3 or 8) from unexpected source IPs against Exchange service accounts, and Event IDs 4625 and 4648 for credential reuse consistent with T1078 (Valid Accounts). Apply D3-LAM (Local Account Monitoring) to identify local account activity anomalies on Exchange hosts. Per NIST AU-8 (Time Stamps), confirm log timestamps are synchronized to a reliable time source before correlating cross-system events. Per CIS 8.2 (Collect Audit Logs), verify logging was enabled across all Exchange infrastructure during the target window; gaps in log coverage should themselves be treated as an indicator. Per NIST AU-11 (Audit Record Retention), confirm historical logs from the 2020–2021 campaign window are still accessible; if not, document the gap and escalate. No new IOCs were released with the indictment. The March 2021 CISA advisory on Microsoft Exchange Server vulnerabilities remains the authoritative historical IOC reference set for this campaign.
Indicators of Compromise (1)
Export as
Splunk SPL
KQL
Elastic
Copy All (1)
1 domain
Type Value Enrichment Context Conf.
⌘ DOMAIN
Not released with indictment
VT
US
No new IOCs were published alongside the extradition and indictment. Historical Hafnium IOCs from the March 2021 CISA and Microsoft disclosures remain the reference set. Consult CISA's Exchange advisory for the current IOC list.
LOW
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
MITRE ATT&CK Hunting Queries (4)
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Unusual C2 communication patterns
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (80, 443, 8080, 8443)
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "teams.exe", "outlook.exe", "svchost.exe")
| summarize Connections = count() by DeviceName, RemoteIP, InitiatingProcessFileName
| where Connections > 50
| sort by Connections desc
Sentinel rule: Sign-ins from unusual locations
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| summarize Locations = make_set(Location), LoginCount = count(), DistinctIPs = dcount(IPAddress) by UserPrincipalName
| where array_length(Locations) > 3 or DistinctIPs > 5
| sort by DistinctIPs desc
Sentinel rule: Web application exploit patterns
KQL Query Preview
Read-only — detection query only
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where DeviceVendor has_any ("PaloAlto", "Fortinet", "F5", "Citrix")
| where Activity has_any ("attack", "exploit", "injection", "traversal", "overflow")
or RequestURL has_any ("../", "..\\\\", "<script", "UNION SELECT", "\${jndi:")
| project TimeGenerated, DeviceVendor, SourceIP, DestinationIP, RequestURL, Activity, LogSeverity
| sort by TimeGenerated desc
Falcon API IOC Import Payload (1 indicators)
POST to /indicators/entities/iocs/v1 — Weak/benign indicators pre-filtered. Expiration set to 90 days.
Copy JSON
[
{
"type": "domain",
"value": "Not released with indictment",
"source": "SCC Threat Intel",
"description": "No new IOCs were published alongside the extradition and indictment. Historical Hafnium IOCs from the March 2021 CISA and Microsoft disclosures remain the reference set. Consult CISA's Exchange adviso",
"severity": "medium",
"action": "no_action",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-08-19T00:00:00Z"
}
]
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1505.003
T1560
T1591
T1059
T1588.006
T1071
+5
CM-2
CM-7
SI-3
SI-4
SI-7
CA-7
+11
A03:2021
A07:2021
A08:2021
MITRE ATT&CK Mapping
T1560
Archive Collected Data
collection
T1591
Gather Victim Org Information
reconnaissance
T1059
Command and Scripting Interpreter
execution
T1588.006
Vulnerabilities
resource-development
T1071
Application Layer Protocol
command-and-control
T1589
Gather Victim Identity Information
reconnaissance
T1078
Valid Accounts
defense-evasion
T1213
Data from Information Repositories
collection
T1190
Exploit Public-Facing Application
initial-access
Guidance Disclaimer
