Microsoft has released an updated script that scans Exchange log files for indicators of compromise (IOCs) associated with the vulnerabilities disclosed on March 2, 2021.
National CSIRT-CY is aware of widespread domestic and international exploitation of these vulnerabilities and strongly recommends organizations run the Test-ProxyLogon.ps1 script as soon as possible to help determine whether their systems are compromised.
For additional information on the script, see Microsoft’s blog HAFNIUM targeting Exchange Servers with 0-day exploits
For more information about these vulnerabilities and how to defend against their exploitation, see:
- Microsoft Advisory: Multiple Security Updates Released for Exchange Server
- Microsoft Blog: HAFNIUM targeting Exchange Servers with 0-day exploits
- Microsoft GitHub Repository: CSS-Exchange