The Great British Exchange Hack: What Businesses Need to Know

Published
Boost Performance

Executive Summary

  • In early January 2021, four so-called “zero-day” exploits were identified on different Microsoft Exchange Servers.
  • The exploits are thought to have impacted approximately 7000 servers within UK businesses.
  • As of March 15th 2021, Microsoft has released updates for all affected Exchange Server to patch these exploits, though the full extent of the damage is as yet unknown.

Introduction

The world has seen its fair share of high-profile cyberattacks in the last few months.

With the SolarWinds hack wreaking havoc on US businesses – and even parts of the US government – in late 2020, companies were already under cybersecurity pressure.

So, as Murphy’s Law dictates, another large-scale cyberattack hit the headlines in March 2021. First identified in early January, the Microsoft Exchange Server hack targeted the email infrastructure of businesses across the world, including at least 7000 in the UK.

Microsoft patched the server exploits on March 2nd,, meaning the attack is over for now – but what can UK businesses learn from this? And how did it actually happen?

Let’s find out.

What is the 2021 Microsoft Exchange Server hack?

The Microsoft Exchange Server attack began, or was at least first detected, in early January 2021.

A researcher known as “Orange Tsai”, working for security company DEVCORE, first reported two security issues regarding Microsoft Exchange Server on Twitter on January 5th.

These vulnerabilities were “zero-day” exploits. In plain English, that essentially means that they were brand new and unknown to the team at Microsoft. At least two more exploits were discovered in the following days, and the hack affected the following:

  • Microsoft Exchange 2010
  • Microsoft Exchange 2013
  • Microsoft Exchange 2016
  • Microsoft Exchange 2019

Importantly, the hack only affects the “on-premises” (i.e. locally installed) server software and not Microsoft Exchange Online.

The method, the result, and the resolution

This type of zero-day attack on servers is potentially very damaging for businesses, because the hack gave attackers access to user emails, passwords, any devices connected to the server, and granted full admin rights for the server.

How did they do it? It gets a little technical, but the group of attackers, known as “Hafnium”, identified exploits in the Outlook Web Access module of Microsoft Exchange Server and used them as an entry point to the entire server. With this type of access, attackers may have been able to download complete email logs, adding or deleting users, and potentially even installing other “backdoors” to enable future malware attacks.

So how did Microsoft respond? Of course, as soon as they were made aware of the exploits — which reportedly happened in early January — their team would have got to work developing patches to repair the security holes. This process came to fruition on March 2nd 2021 with the release of security updates for Microsoft Exchange 2010, 2013, 2016, and 2019.

Importantly, these patches won’t retroactively undo any of the damage done by the hack, but they will prevent these same exploits being used by attackers in future.

Could the Microsoft Exchange hack impact your business?

It’s understandable that UK businesses might be worried that their servers have been exposed to this attack.

While that’s possible, it’s actually quite unlikely for most small businesses.

Microsoft estimates that just 7000 servers in the UK were compromised by the Exchange Server attack, which, while a big number, is dwarfed by the total number of business premises. In addition, it’s known that the attackers targeted specific types of companies, including infectious disease researchers, higher education institutions, defence contractors, and law firms.

If you are concerned about your on-premises servers, the first (and most important) thing to do is patch your Microsoft Exchange Servers immediately.

Once this is done, if you believe there’s a possibility of an attack having taken place, Microsoft has released a number of tools to assist in detection. More specifically, they’ve released the Exchange On-premises Mitigation Tool (EOMT) and Indicators Of Compromise (IOC) scripts, both of which are designed to help your IT administrators pinpoint potential evidence of attacks and mitigate problems prior to patching.

This stuff can get technical fast, so if you are at all worried, please reach out to the Get Support team, who will be happy to help address any of your concerns about the Microsoft Exchange hack – and even assist with mitigation if required.

Need help protecting your business from the next big hack?

While it’s very unlikely that your business was impacted by the 2021 Microsoft Exchange hack, it still serves as a valuable lesson for UK businesses.

If you’ve not yet levelled-up your cyberthreat protection to something like an Endpoint Detection and Response (EDR) system, now might be the time.

At Get Support, we’re experts in recommending, deploying, and configuring the very best cybersecurity software to keep your business safe.

Learn more about how we can help you today by calling 01865 59 4000 or simply filling in the form below.

Latest From The Blog

Cyber Essentials is changing (again) in 2025. But there’s good news.   

Cyber Essentials is changing in 2025. Get up to speed on the key updates, including passwordless authentication and vulnerability fixes.

Microsoft 365 Copilot Release Roundup: August, September, October 2024  

Discover the latest updates for Microsoft Copilot released during August, September, and October 2024.

What's new with the Windows 11 24H2 update?

Here’s a Get Support guide to the latest Windows 11 24H2 update, including what matters most for small businesses.