The Microsoft Exchange attack leveraging multiple zero-days has by some accounts been one of the most wide-spread and potentially damaging hacks in history, orchestrated by a group Microsoft has named HAFNIUM. Malicious network activity related to the attack was first detected in January but the full nature and extent of the attack was publicly disclosed only on March 2nd. Active exploitation started around February 26th, primarily targeting U.S. entities. 

Virtually any enterprise running Exchange Server on-premises is vulnerable to this sophisticated attack leveraging four zero-day exploits chained together. Once the attackers have breached the Exchange Server they can use that server access to move laterally, exfiltrate company data or compromise the target network in other ways.

There are a range of signatures that defenders can look for to determine if their organization has been compromised by the Hafnium group (that Microsoft has publicly attributed as a state-sponsored group based in China). For ThreatSTOP customers, the IOCs (IPs and Domains) have been added in February so that any attempted exfiltration or C2 communication will trigger an alert and blocking action. 

Here's a partial list of Hafnium-related IP subnets we are blocking and alerting on:


Here's an example of the result when searching on an IP address associated with Hafnium:

Hafnium IP activity 2

We also provide a target, Anonymous VPN Services Exit - IPs, that customers can use to block access to their network from  those services. We also recommend applying the TOR targets that will block communication with TOR exit nodes. The Hafnium group has been observed using such anonymized services.

If you'd like assistance to optimize policy management or guidance on log analysis, contact our customer success team.


Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?    

Get a Demo


Further reading: