Microsoft Corp. is looking into the possibility that the recent cyberattacks against Exchange Server email servers employed data leaked from its systems or those of its partners, the Wall Street Journal reported today.

Exchange Server is a Microsoft-developed email and calendar platform popular in enterprises. At the beginning of March, the company revealed that hackers have been using previously unknown “zero-day” flaws in the platform to launch cyberattacks against customers. Tom Burt, Microsoft’s corporate vice president for customer security and trust, attributed the cyberattacks to a China-based hacking group the company is calling Hafnium.

The key context behind Microsoft’s reported leak investigation is the timing of the hacking campaign. According to the Journal’s sources, the attacks began in early January and widened in late February just as Microsoft was preparing to release software fixes for the Exchange vulnerabilities.

The second series of attacks is believed to have begun around Feb. 28. According to today’s report, multiple security firms have determined that the campaign employed hacking tools similar to proof-of-concept attack code Microsoft sent out to partners the week before to help them address the threat. The company released patches for the vulnerabilities a few days later, on March 2. 

It appears Microsoft is seeking to determine whether the code shared with partners may have found its way to the hackers. As part of its investigation, the company is said to be looking into the Microsoft Active Protections Program through which it shares information on vulnerabilities with firms such as antivirus providers. A notification sent out to some of the participants in the program on Feb. 23 reportedly included the proof-of-concept attack code.

The Exchange Server vulnerabilities were found in versions of the platform dating back to the 2010 edition. They allow hackers to gain access to a company’s Exchange Server installation and set up a malicious program known as a web shell in the compromised deployment that they can be used to steal emails remotely.

A separate Wall Street Journal report last week stated that it’s believed as many as 250,000 or more Microsoft customers may have been targeted. Researchers have determined that at least 10 hacking groups are now exploiting the vulnerabilities to launch hacking campaigns, including ransomware attacks.

Photo: efes/Pixabay