The vulnerabilities described on this and the following page are known as the Proxylogon vulnerabilities affecting various versions the on-premises Microsoft Exchange email server (2013, 2016 and 2019). If you have a Microsoft Exchange email server on-site (rather than in the ‘cloud’ through Microsoft 365) you may be at risk of these vulnerabilities.
While this is a collection of four vulnerabilities, the highest risk vulnerability has been independently scored as posing a critical risk to most organisations.
The Operation Configured team have contacted you because research indicates that your organisation may have these vulnerabilities and it is exposed to the public internet. While it is possible that this information is incorrect because of the method of vulnerability identification employed by the Operation, it is important you establish for yourself whether your organisation is vulnerable. If you establish that your systems are vulnerable, there is an increased risk you will fall victim to a potentially devastating criminal cyber attack.
There is another technically focused summary of these vulnerabilities available for ICT and other technical teams. You should use them to support you in making choices about how to approach this situation.
IMPORTANT: While SEROCU are notifying organisations of this vulnerability, Officers from the team will NOT be asking for any information or other details. They will only be providing information. Any unsolicited contact claiming to be from the Police should always be treated with caution. For more information read about Verifying Authenticity.
About these Vulnerabilities
In 2021 researchers detected the exploitation of four technical vulnerabilities being used to attack on-premises versions of the Microsoft Exchange Server in limited and targeted attacks. Microsoft Exchange is predominantly an email server, but does provide some other functionality.
In the attacks observed, the criminals, often referred to as ‘threat actors’, used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts. The criminals could also further exploit the server in a way which allowed them to install additional malicious software (‘malware’) to facilitate long-term access to the wider network and systems of their victims.
The Risk these Vulnerabilities pose
There are significant risks should you choose to ignore or accept these vulnerabilities remaining in your system. Criminals are known to be actively scanning for vulnerable Exchange email servers and using them to attack organisations. Consequences may include, but are not limited to:
- Theft of your data
- Corruption of your backups
- Using you to attack others you work with, damaging your reputation
- Ransomware attack against your systems
- Fines from regulators such as the Information Commissioner’s Office (ICO)
- Your organisation ceasing operations because of system failure, reputational damage or financial losses
News Reporting of Exploitation of these Vulnerabilities
Thousands of organisations have fallen victim to the exploitation of the Proxylogon group of vulnerabilities and it made headlines – BBC: Microsoft Hack: 3,000 UK email servers remain unsecured. A number of organisations, such as the European Banking Authority, have admitted they have been victims.
The next steps for your organisation should be to:
- Verify the presence of these vulnerabilities in your organisation; if so:
- Establish if these vulnerabilities has already been exploited on your systems
- Work with your ICT team or provider to establish the degree of threat, potential harm and risk posed to your organisation
- Isolate and mitigate the risk as soon as possible
- Establish a plan to resolve these vulnerabilities and eliminate the risk
- Plan to improve your cybersecurity for the future
For more information: