March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server
March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server
AI Analysis
Technical Summary
The March 2021 Exchange Server Security Updates address vulnerabilities present in older Cumulative Updates of Microsoft Exchange Server. These vulnerabilities potentially allow attackers to deliver malicious payloads and drop artifacts on compromised systems, facilitating unauthorized access or further exploitation. Although specific affected versions are not listed, the focus on older cumulative updates suggests that unpatched or outdated Exchange Server installations are at risk. The threat is categorized under malware, payload delivery, and artifacts dropped, indicating that exploitation could lead to malware installation and persistence within the targeted environment. The absence of known exploits in the wild at the time of publication suggests that while the vulnerabilities were recognized, active exploitation was not yet observed. No patches are available specifically for these older cumulative updates, which implies that organizations must upgrade to supported, patched versions to mitigate the risk. The technical details provided are limited, with a low threat level and moderate analysis rating, but the overall severity is assessed as high, reflecting the critical nature of Exchange Server in enterprise environments and the potential impact of exploitation.
Potential Impact
For European organizations, the exploitation of vulnerabilities in older Exchange Server cumulative updates could have significant consequences. Microsoft Exchange Server is widely used across Europe for email and calendaring services, making it a critical component of organizational infrastructure. Successful exploitation could lead to unauthorized access to sensitive communications, data exfiltration, and potential lateral movement within networks. This compromises confidentiality and integrity of information, and may also impact availability if systems are disrupted or taken offline. Given the central role of Exchange Server in business operations, such disruptions could affect productivity and service continuity. Additionally, organizations in sectors such as finance, government, healthcare, and critical infrastructure are particularly at risk due to the sensitive nature of their communications and data. The lack of patches for older cumulative updates increases the risk for organizations that have not maintained up-to-date Exchange Server environments, potentially exposing them to targeted attacks or malware campaigns leveraging these vulnerabilities.
Mitigation Recommendations
European organizations should prioritize upgrading their Exchange Server installations to the latest supported cumulative updates that include the March 2021 security fixes. Since no patches are available for older cumulative updates, maintaining unsupported versions poses a significant risk. Organizations should conduct comprehensive audits to identify all Exchange Server instances and verify their patch levels. Implementing strict network segmentation can limit exposure of Exchange Servers to untrusted networks. Deploying advanced email security solutions with malware detection and sandboxing capabilities can help detect and block malicious payloads. Monitoring Exchange Server logs and network traffic for unusual activity or indicators of compromise is essential for early detection. Additionally, organizations should enforce strong access controls and multi-factor authentication for administrative accounts to reduce the risk of unauthorized access. Regular backups of Exchange data should be maintained and tested to ensure recovery capability in case of compromise. Finally, user awareness training focusing on phishing and social engineering can reduce the likelihood of initial compromise vectors.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Sweden, Poland, Austria
Indicators of Compromise
- hash: 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
- hash: b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
- hash: 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
- hash: 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
- hash: 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
- file: %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorPages.aspx
- file: %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\fatal-erro.aspx
- file: %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\log.aspx
- file: %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logg.aspx
- file: %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logout.aspx
- file: %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\one.aspx
- file: %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\one1.aspx
- file: %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\shel.aspx
- file: %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\shel2.aspx
- file: %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\shel90.aspx
- file: %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\a.aspx
- file: %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\default.aspx
- file: C:\inetpub\wwwroot\aspnet_client\shell.aspx
- file: C:\inetpub\wwwroot\aspnet_client\Server.aspx
- file: C:\inetpub\wwwroot\aspnet_client\aspnet_client.aspx
- file: C:\inetpub\wwwroot\aspnet_client\aspnet_iisstart.aspx
- file: C:\inetpub\wwwroot\aspnet_client\aspnet_pages.aspx
- file: C:\inetpub\wwwroot\aspnet_client\aspnet_www.aspx
- file: C:\inetpub\wwwroot\aspnet_client\default1.aspx
- file: C:\inetpub\wwwroot\aspnet_client\errorcheck.aspx
- file: C:\inetpub\wwwroot\aspnet_client\iispage.aspx
- file: C:\inetpub\wwwroot\aspnet_client\s.aspx
- file: C:\inetpub\wwwroot\aspnet_client\session.aspx
- file: C:\inetpub\wwwroot\aspnet_client\system_web\log.aspx
- file: C:\inetpub\wwwroot\aspnet_client\xclkmcfldfi948398430fdjkfdkj.aspx
- file: C:\inetpub\wwwroot\aspnet_client\xx.aspx
- file: C:\inetpub\wwwroot\aspnet_client\discover.aspx
- file: C:\inetpub\wwwroot\aspnet_client\HttpProxy.aspx
- file: C:\inetpub\wwwroot\aspnet_client\OutlookEN.aspx
- file: C:\inetpub\wwwroot\aspnet_client\supp0rt.aspx
- file: %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\OAB\log.aspx
- link: https://techcommunity.microsoft.com/t5/exchange-team-blog/march-2021-exchange-server-security-updates-for-older-cumulative/ba-p/2192020
- text: March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server To help customers more quickly protect their environments in light of the March 2021 Exchange Server Security Updates, Microsoft is producing an additional series of security updates (SUs) that can be applied to some older (and unsupported) Cumulative Updates (CUs). The availability of these updates does not mean that you don’t have to keep your environment current. This is intended only as a temporary measure to help you protect vulnerable machines right now. You still need to update to the latest supported CU and then apply the applicable SUs. If you are already mid-update to a later CU, you should continue with that update.
- hash: 4b3039cf227c611c45d2242d1228a121
- hash: 0ba9a76f55aaa495670d74d21850d0155ff5d6a5
- hash: b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
- datetime: 2021-03-09T12:43:18+00:00
- link: https://www.virustotal.com/gui/file/b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0/detection/f-b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0-1615293798
- text: 32/59
- hash: 5544ba9ad1b56101b5d52b5270421d4a
- hash: fc6f5ce56166d9b4516ba207f3a653b722e1a8df
- hash: 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
- datetime: 2021-03-09T10:02:47+00:00
- link: https://www.virustotal.com/gui/file/511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1/detection/f-511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1-1615284167
- text: 18/58
March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server
Description
March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server
AI-Powered Analysis
Technical Analysis
The March 2021 Exchange Server Security Updates address vulnerabilities present in older Cumulative Updates of Microsoft Exchange Server. These vulnerabilities potentially allow attackers to deliver malicious payloads and drop artifacts on compromised systems, facilitating unauthorized access or further exploitation. Although specific affected versions are not listed, the focus on older cumulative updates suggests that unpatched or outdated Exchange Server installations are at risk. The threat is categorized under malware, payload delivery, and artifacts dropped, indicating that exploitation could lead to malware installation and persistence within the targeted environment. The absence of known exploits in the wild at the time of publication suggests that while the vulnerabilities were recognized, active exploitation was not yet observed. No patches are available specifically for these older cumulative updates, which implies that organizations must upgrade to supported, patched versions to mitigate the risk. The technical details provided are limited, with a low threat level and moderate analysis rating, but the overall severity is assessed as high, reflecting the critical nature of Exchange Server in enterprise environments and the potential impact of exploitation.
Potential Impact
For European organizations, the exploitation of vulnerabilities in older Exchange Server cumulative updates could have significant consequences. Microsoft Exchange Server is widely used across Europe for email and calendaring services, making it a critical component of organizational infrastructure. Successful exploitation could lead to unauthorized access to sensitive communications, data exfiltration, and potential lateral movement within networks. This compromises confidentiality and integrity of information, and may also impact availability if systems are disrupted or taken offline. Given the central role of Exchange Server in business operations, such disruptions could affect productivity and service continuity. Additionally, organizations in sectors such as finance, government, healthcare, and critical infrastructure are particularly at risk due to the sensitive nature of their communications and data. The lack of patches for older cumulative updates increases the risk for organizations that have not maintained up-to-date Exchange Server environments, potentially exposing them to targeted attacks or malware campaigns leveraging these vulnerabilities.
Mitigation Recommendations
European organizations should prioritize upgrading their Exchange Server installations to the latest supported cumulative updates that include the March 2021 security fixes. Since no patches are available for older cumulative updates, maintaining unsupported versions poses a significant risk. Organizations should conduct comprehensive audits to identify all Exchange Server instances and verify their patch levels. Implementing strict network segmentation can limit exposure of Exchange Servers to untrusted networks. Deploying advanced email security solutions with malware detection and sandboxing capabilities can help detect and block malicious payloads. Monitoring Exchange Server logs and network traffic for unusual activity or indicators of compromise is essential for early detection. Additionally, organizations should enforce strong access controls and multi-factor authentication for administrative accounts to reduce the risk of unauthorized access. Regular backups of Exchange data should be maintained and tested to ensure recovery capability in case of compromise. Finally, user awareness training focusing on phishing and social engineering can reduce the likelihood of initial compromise vectors.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 1
- Analysis
- 2
- Uuid
- fd875781-262e-4159-a0cd-ac0241784cc7
- Original Timestamp
- 1615361330
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1 | To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE. | |
hashb75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0 | To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE. | |
hash4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea | To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE. | |
hash811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d | To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE. | |
hash65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5 | To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE. | |
hash4b3039cf227c611c45d2242d1228a121 | To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE. | |
hash0ba9a76f55aaa495670d74d21850d0155ff5d6a5 | To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE. | |
hashb75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0 | To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE. | |
hash5544ba9ad1b56101b5d52b5270421d4a | To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE. | |
hashfc6f5ce56166d9b4516ba207f3a653b722e1a8df | To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE. | |
hash511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1 | To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE. |
File
| Value | Description | Copy |
|---|---|---|
file%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorPages.aspx | — | |
file%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\fatal-erro.aspx | — | |
file%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\log.aspx | — | |
file%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logg.aspx | — | |
file%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logout.aspx | — | |
file%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\one.aspx | — | |
file%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\one1.aspx | — | |
file%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\shel.aspx | — | |
file%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\shel2.aspx | — | |
file%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\shel90.aspx | — | |
file%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\a.aspx | — | |
file%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\default.aspx | — | |
fileC:\inetpub\wwwroot\aspnet_client\shell.aspx | — | |
fileC:\inetpub\wwwroot\aspnet_client\Server.aspx | — | |
fileC:\inetpub\wwwroot\aspnet_client\aspnet_client.aspx | — | |
fileC:\inetpub\wwwroot\aspnet_client\aspnet_iisstart.aspx | — | |
fileC:\inetpub\wwwroot\aspnet_client\aspnet_pages.aspx | — | |
fileC:\inetpub\wwwroot\aspnet_client\aspnet_www.aspx | — | |
fileC:\inetpub\wwwroot\aspnet_client\default1.aspx | — | |
fileC:\inetpub\wwwroot\aspnet_client\errorcheck.aspx | — | |
fileC:\inetpub\wwwroot\aspnet_client\iispage.aspx | — | |
fileC:\inetpub\wwwroot\aspnet_client\s.aspx | — | |
fileC:\inetpub\wwwroot\aspnet_client\session.aspx | — | |
fileC:\inetpub\wwwroot\aspnet_client\system_web\log.aspx | — | |
fileC:\inetpub\wwwroot\aspnet_client\xclkmcfldfi948398430fdjkfdkj.aspx | — | |
fileC:\inetpub\wwwroot\aspnet_client\xx.aspx | — | |
fileC:\inetpub\wwwroot\aspnet_client\discover.aspx | — | |
fileC:\inetpub\wwwroot\aspnet_client\HttpProxy.aspx | — | |
fileC:\inetpub\wwwroot\aspnet_client\OutlookEN.aspx | — | |
fileC:\inetpub\wwwroot\aspnet_client\supp0rt.aspx | — | |
file%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\OAB\log.aspx | — |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://techcommunity.microsoft.com/t5/exchange-team-blog/march-2021-exchange-server-security-updates-for-older-cumulative/ba-p/2192020 | — | |
linkhttps://www.virustotal.com/gui/file/b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0/detection/f-b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0-1615293798 | To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE. | |
linkhttps://www.virustotal.com/gui/file/511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1/detection/f-511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1-1615284167 | To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE. |
Text
| Value | Description | Copy |
|---|---|---|
textMarch 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server
To help customers more quickly protect their environments in light of the March 2021 Exchange Server Security Updates, Microsoft is producing an additional series of security updates (SUs) that can be applied to some older (and unsupported) Cumulative Updates (CUs). The availability of these updates does not mean that you don’t have to keep your environment current. This is intended only as a temporary measure to help you protect vulnerable machines right now. You still need to update to the latest supported CU and then apply the applicable SUs. If you are already mid-update to a later CU, you should continue with that update. | — | |
text32/59 | To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE. | |
text18/58 | To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE. |
Datetime
| Value | Description | Copy |
|---|---|---|
datetime2021-03-09T12:43:18+00:00 | To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE. | |
datetime2021-03-09T10:02:47+00:00 | To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE. |
Threat ID: 682acdbebbaf20d303f0dbc6
Added to database: 5/19/2025, 6:20:46 AM
Last enriched: 6/18/2025, 7:49:56 AM
Last updated: 7/26/2025, 8:42:11 AM
Views: 12
Related Threats
ThreatFox IOCs for 2025-08-10
MediumThreatFox IOCs for 2025-08-09
MediumThreatFox IOCs for 2025-08-08
MediumRoyal and BlackSuit ransomware gangs hit over 450 US companies
HighSocGholish Malware Spread via Ad Tools; Delivers Access to LockBit, Evil Corp, and Others
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.