Microsoft was warned about Exchange Server flaws two months ago
The European Banking Authority is the latest major public body to be compromised by the mass hack


Microsoft was aware of the Exchange Server vulnerabilities two months prior to the attack orchestrated by state-backed hackers, having confirmed that it was initially notified in “early January”.
The tech giant made the statement to cyber security journalist Brian Krebs, who has compiled a basic timeline of the hack on his blog.
Krebs’ research shows that, on 5 January, Microsoft was first notified of two of the four zero-day vulnerabilities by a researcher at security testing firm DevCore. On 2 February, cyber security solutions provider Volexity also reported the same two vulnerabilities to Microsoft, having witnessed attack traffic going back to 3 January.
Warnings also came from Danish cyber security provider Dubex, which first witnessed clients being hit on 18 January. The company reported their incident response findings to Microsoft on 27 January.
In a blog post, Dubex detailed how hackers took advantage of the 'unifying messaging' module in Exchange, which allows organisations to store voicemail and fax files, as well as emails, calendars, and contacts in users’ mailboxes, in order to install web shell backdoors.
“A unified messaging server also allows users access to voicemail features via smartphones, Microsoft Outlook and Outlook Web App. Most users and IT departments manage their voicemail separately from their email, and voicemail and email exist as separate inboxes hosted on separate servers. Unified Messaging offers an integrated store for all messages and access to content through the computer and the telephone,” Dubex revealed.
RELATED RESOURCE
The total economic impact of IBM Security Verify
Cost savings and business benefits enabled by IBM Security Verify
However, Dubex’s CTO Jacob Herbst told KrebsOnSecurity that the company “never got a ‘real’ confirmation [from Microsoft] of the zero-day before the patch was released”.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
The four zero-day vulnerabilities were ultimately patched on 2 March, a week earlier than previously planned. However, only a day later it was revealed that tens of thousands of Exchange servers had been compromised worldwide, with the number of victims increasing by the hour.
Krebs questioned Microsoft’s response timing, saying that the timeline illustrates that the company "had almost two months to push out the patch it ultimately shipped Mar. 2, or else help hundreds of thousands of Exchange customers mitigate the threat from this flaw before attackers started exploiting it indiscriminately”.
IT Pro has contacted Microsoft for comment but is yet to hear back from the company.
The number of victims is estimated to be in the hundreds of thousands, with the European Banking Authority (EBA) becoming the latest major public body to be compromised by the hack.
In a statement, the EBA said that it “is working to identify what, if any, data was accessed”, adding that it had “decided to take its email systems offline” as a “precautionary measure”.
Chinese state-sponsored hacking group Hafnium is believed to be behind the attack.
Having only graduated from City University in 2019, Sabina has already demonstrated her abilities as a keen writer and effective journalist. Currently a content writer for Drapers, Sabina spent a number of years writing for ITPro, specialising in networking and telecommunications, as well as charting the efforts of technology companies to improve their inclusion and diversity strategies, a topic close to her heart.
Sabina has also held a number of editorial roles at Harper's Bazaar, Cube Collective, and HighClouds.
-
RSAC Conference 2025: The front line of cyber innovation
ITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job losses
News With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
The threat prevention buyer's guide
Whitepaper Find the best advanced and file-based threat protection solution for you
-
Supply chain as kill chain
Whitepaper Security in the era Zero Trust
-
Microsoft under fire for “negligent” security practices in scathing critique by industry exec
News Microsoft took more than 90 days to issue a partial fix for a critical Azure vulnerability, researchers found
-
Apple patches zero day linked to spyware campaign
News Kaspersky researchers were the first to report a zero day used in a sophisticated attack chain
-
MOVEit cyber attack: Cl0p sparks speculation that it’s lost control of hack
News The hackers return with their second major data-extortion attack of 2023, but may have bitten off more than they can chew
-
Microsoft says it knows who was behind cyber attacks on MOVEit Transfer
Dozens of organizations may have already lost data to hackers exploiting the critical flaw
-
Trend Micro security predictions for 2023
Whitepaper Prioritise cyber security strategies on capabilities rather than costs
-
Windows, macOS, and Tesla exploits debuted at Pwn2Own hacking contest
News Researchers took home more than $375,000 in winnings on the first day of the competition