Microsoft releases special tools to detect whether Exchange Server are hacked

Microsoft Exchange Server 2013-2019 has security vulnerabilities, and tens of thousands of government and enterprise organizations have been attacked by hackers.

At present, only 10% of government and enterprise organizations have fixed this vulnerability, and the remaining 90% of government and enterprise organizations may not even know that such a major vulnerability has occurred.

Cosmos Bank hacked

As a countermeasure, Microsoft not only issued emergency security updates to fix the vulnerability but also developed special tools to help customers detect whether they were hacked.

If your company or institution is using the local server version of Exchange Server, you should immediately use this tool to test to ensure environmental safety.

The tool has been open-sourced for use by all enterprises and government agencies. You can download it here. These tool include:

Test-ProxyLogon.ps1

Formerly known as Test-Hafnium, this script automates all four of the commands found in the Hafnium blog post. It also has a progress bar and some performance tweaks to make the CVE-2021-26855 test run much faster.

BackendCookieMitigation.ps1

This mitigation will filter https requests that contain malicious X-AnonResource-Backend and malformed X-BEResource cookies which were found to be used in CVE-2021-26855.

This will help with defense against the known patterns observed but not the SSRF as a whole. For more information please visit https://aka.ms/exchangevulns.

http-vuln-cve2021-26855.nse

This file is for use with nmap. It detects whether the specified URL is vulnerable to the Exchange Server SSRF Vulnerability (CVE-2021-26855). For usage information, please read the top of the file.