Note: this post is getting frequent updates; please keep checking back. Last update: 3/19/2021
Microsoft has released a set of out of band security updates for vulnerabilities for the following ver...
Updated Mar 19, 2021
Version 44.0
Blog Post
The following article contains instructions for detecting whether CVE-2021-26855 exploitation has taken place
Import-Csv -Path (Get-ChildItem -Recurse -Path "$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy" -Filter '*.log').FullName | Where-Object { $_.AuthenticatedUser -eq " -and $_.AnchorMailbox -like 'ServerInfo~*/*' } | select DateTime, AnchorMailboxhttps://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
The command is broken (it will never execute and generates a PowerShell continuation prompt (>>). This can be fixed by changing the double quote after $_.AuthenticatedUser -eq " to two single quotes '' - please update the article ASAP!
Import-Csv -Path (Get-ChildItem -Recurse -Path "$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy" -Filter '*.log').FullName | Where-Object { $_.AuthenticatedUser -eq '' -and $_.AnchorMailbox -like 'ServerInfo~*/*' } | select DateTime, AnchorMailbox