Threat Advisory: Microsoft Exchange Server including CVE-2021-24085, 26855, 26857, 26858, and 27065

Microsoft has disclosed new security issues affecting Microsoft Exchange Server versions 2010, 2013, 2016 and 2019. Blue Hexagon Threat Lab has been tracking active exploitation attempts and attacks on on-premise Exchange Servers that have Outlook Web Access accessible from the public Internet. This is a very popular way to provide email services over the web for on-premise Exchange server instances and explains the wide range of customers affected by this attack. 

It is very easy for threat actors to initiate such attacks. Simple searches on Shodan for example surface a few hundred thousand such accessible servers with tens of thousands in the United States, even for just one of the software versions.

Vulnerability – Summary and Analysis

Several CVEs are part of this attack kill chain:

Using a combination of the above vulnerabilities an attacker with stolen admin credentials or via ECP exploit could write a file to any path on the server and execute arbitrary code as SYSTEM on the server.

The vulnerability is that instead of having randomly-generated keys on a per-installation basis all installations of Microsoft Exchange Server have the same validationKey and decryptionKey values in web.config. These keys are used to provide security for ViewState. ViewState is server-side data that ASP.NET web applications store in serialized format on the client. The client provides this data back to the server via the __VIEWSTATE request parameter.

Attack Kill Chain

  • Attackers are searching for a specific token using a request to /ecp/DDI/DDIService.svc/GetList.
  • If that request is successful, the attacker moves on to writing the desired token to the server’s filesystem with the request /ecp/DDI/DDIService.svc/SetObject. 
  • At that point, since the token is available to be downloaded directly, the attacker sends a download request to /ecp/attacker.png and this activity may be recorded in the IIS logs themselves attached to the IP of the initial attack.
  • Indicators of compromise would include the requests to both /ecp/DDI/DDIService.svc/GetList and /ecp/DDI/DDIService.svc/SetObject, especially if those requests were associated with user agents that appear to be abnormal. 

Example attack code is available at:


Despite the fact the initial media reports emphasize the US impact our telemetry data shows global impact. We recommend all organizations using the affected Microsoft Exchange Server versions to immediately patch and then continuously monitor activity.

Versions Affected

These vulnerabilities affect Microsoft Exchange Server 2010, 2013, 2016, 2019

How Network Detection and Response (NDR) can help

Blue Hexagon Threat Lab has been proctively tracking suspicious activity to publicly accessible servers and has seen attacks at different stages of the killchain from initial recon and exploitation attempts to webshells and some post-exploitation examples. It is likely that with elevated privileges, endpoint tools could be bypassed or the attacker can use in-memory techniques. 

Blue Hexagon Deep Learning-powered Network Detection and Response solution provides a complete killchain view into the initial recon, attempts to exploit using for example Javascript snippets and finally delivery of web shells followed by command and control and exfiltration. It also allows the defenders to quickly focus on their MS Exchange Servers and all N-S (public-trusted) and E-W (laterally within trusted zones) network activity related to them. 

Below is a summary of observed and potential attacker behavior and how NDR can provide visibility into the various stages of the kill-chain. We will continue to update these as more information about the attacks becomes available.

Attacker BehaviorBlue Hexagon NDR Detection
Using archive files for exfiltration using 7z, WinRARExfiltration Detection and File Visibility and Analysis
Downloading PowerCat from GitHub HTTPS Visibility and Analysis
Using Nishang, PowerCat to establish C2Deep Learning verdicts on C2
Covenant, Cobalt Strike payloads post webshell activationDeep Learning verdicts on payloads and C2
Initial recon and exploitation attemptsUser Agents and URIs and Files in Blue Hexagon Visibility Platform

Indicators of Compromise:

Listed below are the current IOCs that the Blue Hexagon Threat Labs is researching and monitoring as a part of this attack. This section will be updated daily as further research becomes available. [Updated on 03/08/2021, 03/09/2021, 03/11/2021]

Batch Script SHA-256


Shellcode SHA-256


Backdoor SHA-256


WebShell SHA-256


HTTP GET Request 


HTTP POST Requests 

/owa/auth/Current/themes/resources/logon.css  /owa/auth/Current/themes/resources/lgnbotl.gif  /owa/auth/Current/themes/resources/lgnbotl.gif /owa/auth/Current/themes/resources/owafont_ko.css /owa/auth/Current/themes/resources/owafont_ja.css /owa/auth/Current/themes/resources/SegoeUI-SemiBold.eot /owa/auth/Current/themes/resources/SegoeUI-SemiLight.ttf  

Attacker Infrastructure Domains,,,,,,,,,,,,,

Attacker Infrastructure URLs<identifying number>

Attacker Infrastructure IPs,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

File names used by the WebShell

Discover.aspx, HttpProxy.aspx Logout.aspx, MultiUp.aspx, Online.aspx, OutlookEN.aspx, OutlookJP.aspx, OutlookRU.aspx, RedirSuiteServerProxy.aspx, Shell.aspx, iisstart.aspx, aspnet_client.aspx, aspnet_iisstart.aspx, aspnet_www.aspx, document.aspx, error.aspx, errorEE.aspx, errorEEE.aspx, errorEW.aspx, errorFF.aspx, healthcheck.aspx, help.aspx, one.aspx, shell.aspx, web.aspx, xx.aspx, aspnet.aspx, aspnet_error.aspx, aspnet_regiis.aspx, caches.aspx, client.aspx, discover.aspx, dukybySSSS.aspx, dvgippna.aspx, err0r.aspx, error.aspx, front.aspx, load.aspx, log_error_9e23efc3.aspx, outlooken.aspx, outlookus.aspx, outlookzh.aspx, r07azcq5.aspx, supp0rt.aspx, xpy07b5a.aspx, zxvt0lpt.aspx, OutlookUS.aspx, OutlookZH.aspx, 8Lw7tAhF9i1pJnRo.aspx, a.aspx, authhead.aspx, bob.aspx, default.aspx, errorPage.aspx, errorPages.aspx, fatal-erro.aspx, log.aspx, logg.aspx, logout.aspx, one1.aspx, shel.aspx, shel2.aspx, shel90.aspx, log.aspx, aspnet_pages.aspx, default1.aspx, errorcheck.aspx, iispage.aspx, s.aspx, Server.aspx, session.aspx, xclkmcfldfi948398430fdjkfdkj.aspx, services.aspx, logon.aspx, TimeoutLogout.aspx, 333.aspx



Questions? How to Contact Blue Hexagon Threat Experts

If you have any questions or need assistance to determine whether your current security controls can surface the attack and IoCs described above and how to bolster your security stack, please contact Blue Hexagon Security Experts by email at  or online at and let us know how we can help and get in touch with you.

Note: You may like to bookmark this blog post for future reference as we continue to add further research on this attack.

  1. Updated on 03/08/2021 with additional IOCs – Attacker IPs and WebShell SHA-256
  2. Updated on 03/09/2021 with additional IOCs – Attacker IPs
  3. Updated on 03/11/2021 with additional IOCs – Attacker IPs, Domains, URLs, ShellCode SHA-256, Backdoor SHA-256, WebShell SHA-256 and Filenames used by the WebShell.  
  4. Updated on 03/12/2021 with additional IOCs – HTTP GET Request and HTTP POST requests.
  5. Updated on 03/15/2021 with additional IOCs – Attacker Domains, URLs, WebShell SHA-256 and Batch Script SHA-256.
  6. Updated on 03/18/2021 with additional IOCs – Backdoor SHA-256.
  7. Updated on 03/22/2021 with additional IOCs – Backdoor SHA-256 and Filenames used by the WebShell.