Skip to main content

March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server

High
Published: Tue Mar 09 2021 (03/09/2021, 00:00:00 UTC)
Source: CIRCL
Vendor/Project: type
Product: osint

Description

March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server

AI-Powered Analysis

AILast updated: 06/18/2025, 07:49:56 UTC

Technical Analysis

The March 2021 Exchange Server Security Updates address vulnerabilities present in older Cumulative Updates of Microsoft Exchange Server. These vulnerabilities potentially allow attackers to deliver malicious payloads and drop artifacts on compromised systems, facilitating unauthorized access or further exploitation. Although specific affected versions are not listed, the focus on older cumulative updates suggests that unpatched or outdated Exchange Server installations are at risk. The threat is categorized under malware, payload delivery, and artifacts dropped, indicating that exploitation could lead to malware installation and persistence within the targeted environment. The absence of known exploits in the wild at the time of publication suggests that while the vulnerabilities were recognized, active exploitation was not yet observed. No patches are available specifically for these older cumulative updates, which implies that organizations must upgrade to supported, patched versions to mitigate the risk. The technical details provided are limited, with a low threat level and moderate analysis rating, but the overall severity is assessed as high, reflecting the critical nature of Exchange Server in enterprise environments and the potential impact of exploitation.

Potential Impact

For European organizations, the exploitation of vulnerabilities in older Exchange Server cumulative updates could have significant consequences. Microsoft Exchange Server is widely used across Europe for email and calendaring services, making it a critical component of organizational infrastructure. Successful exploitation could lead to unauthorized access to sensitive communications, data exfiltration, and potential lateral movement within networks. This compromises confidentiality and integrity of information, and may also impact availability if systems are disrupted or taken offline. Given the central role of Exchange Server in business operations, such disruptions could affect productivity and service continuity. Additionally, organizations in sectors such as finance, government, healthcare, and critical infrastructure are particularly at risk due to the sensitive nature of their communications and data. The lack of patches for older cumulative updates increases the risk for organizations that have not maintained up-to-date Exchange Server environments, potentially exposing them to targeted attacks or malware campaigns leveraging these vulnerabilities.

Mitigation Recommendations

European organizations should prioritize upgrading their Exchange Server installations to the latest supported cumulative updates that include the March 2021 security fixes. Since no patches are available for older cumulative updates, maintaining unsupported versions poses a significant risk. Organizations should conduct comprehensive audits to identify all Exchange Server instances and verify their patch levels. Implementing strict network segmentation can limit exposure of Exchange Servers to untrusted networks. Deploying advanced email security solutions with malware detection and sandboxing capabilities can help detect and block malicious payloads. Monitoring Exchange Server logs and network traffic for unusual activity or indicators of compromise is essential for early detection. Additionally, organizations should enforce strong access controls and multi-factor authentication for administrative accounts to reduce the risk of unauthorized access. Regular backups of Exchange data should be maintained and tested to ensure recovery capability in case of compromise. Finally, user awareness training focusing on phishing and social engineering can reduce the likelihood of initial compromise vectors.

Need more detailed analysis?Get Pro

Technical Details

Threat Level
1
Analysis
2
Uuid
fd875781-262e-4159-a0cd-ac0241784cc7
Original Timestamp
1615361330

Indicators of Compromise

Hash

ValueDescriptionCopy
hash511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.
hashb75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.
hash4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.
hash811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.
hash65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.
hash4b3039cf227c611c45d2242d1228a121
To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.
hash0ba9a76f55aaa495670d74d21850d0155ff5d6a5
To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.
hashb75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.
hash5544ba9ad1b56101b5d52b5270421d4a
To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.
hashfc6f5ce56166d9b4516ba207f3a653b722e1a8df
To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.
hash511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.

File

ValueDescriptionCopy
file%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorPages.aspx
file%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\fatal-erro.aspx
file%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\log.aspx
file%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logg.aspx
file%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logout.aspx
file%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\one.aspx
file%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\one1.aspx
file%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\shel.aspx
file%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\shel2.aspx
file%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\shel90.aspx
file%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\a.aspx
file%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\default.aspx
fileC:\inetpub\wwwroot\aspnet_client\shell.aspx
fileC:\inetpub\wwwroot\aspnet_client\Server.aspx
fileC:\inetpub\wwwroot\aspnet_client\aspnet_client.aspx
fileC:\inetpub\wwwroot\aspnet_client\aspnet_iisstart.aspx
fileC:\inetpub\wwwroot\aspnet_client\aspnet_pages.aspx
fileC:\inetpub\wwwroot\aspnet_client\aspnet_www.aspx
fileC:\inetpub\wwwroot\aspnet_client\default1.aspx
fileC:\inetpub\wwwroot\aspnet_client\errorcheck.aspx
fileC:\inetpub\wwwroot\aspnet_client\iispage.aspx
fileC:\inetpub\wwwroot\aspnet_client\s.aspx
fileC:\inetpub\wwwroot\aspnet_client\session.aspx
fileC:\inetpub\wwwroot\aspnet_client\system_web\log.aspx
fileC:\inetpub\wwwroot\aspnet_client\xclkmcfldfi948398430fdjkfdkj.aspx
fileC:\inetpub\wwwroot\aspnet_client\xx.aspx
fileC:\inetpub\wwwroot\aspnet_client\discover.aspx
fileC:\inetpub\wwwroot\aspnet_client\HttpProxy.aspx
fileC:\inetpub\wwwroot\aspnet_client\OutlookEN.aspx
fileC:\inetpub\wwwroot\aspnet_client\supp0rt.aspx
file%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\OAB\log.aspx

Link

ValueDescriptionCopy
linkhttps://techcommunity.microsoft.com/t5/exchange-team-blog/march-2021-exchange-server-security-updates-for-older-cumulative/ba-p/2192020
linkhttps://www.virustotal.com/gui/file/b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0/detection/f-b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0-1615293798
To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.
linkhttps://www.virustotal.com/gui/file/511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1/detection/f-511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1-1615284167
To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.

Text

ValueDescriptionCopy
textMarch 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server To help customers more quickly protect their environments in light of the March 2021 Exchange Server Security Updates, Microsoft is producing an additional series of security updates (SUs) that can be applied to some older (and unsupported) Cumulative Updates (CUs). The availability of these updates does not mean that you don’t have to keep your environment current. This is intended only as a temporary measure to help you protect vulnerable machines right now. You still need to update to the latest supported CU and then apply the applicable SUs. If you are already mid-update to a later CU, you should continue with that update.
text32/59
To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.
text18/58
To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.

Datetime

ValueDescriptionCopy
datetime2021-03-09T12:43:18+00:00
To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.
datetime2021-03-09T10:02:47+00:00
To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.

Threat ID: 682acdbebbaf20d303f0dbc6

Added to database: 5/19/2025, 6:20:46 AM

Last enriched: 6/18/2025, 7:49:56 AM

Last updated: 8/11/2025, 3:31:08 PM

Views: 13

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats