Hafnium and ProxyLogon
A Chinese group's Exchange zero-days were quiet until the patch leaked early. Then every ransomware crew on Earth raced the defenders to the same unpatched servers.
In early March 2021, Microsoft disclosed that a Chinese state group it tracked as Hafnium had been exploiting four zero-day vulnerabilities in on-premises Microsoft Exchange Server. Chained together, the bugs — collectively called ProxyLogon — gave an unauthenticated attacker full remote code execution on internet-facing Exchange servers and, from there, the contents of every mailbox.
A targeted operation becomes a feeding frenzy
For weeks, Hafnium's use of the vulnerabilities had been narrow and espionage-focused. That changed when Microsoft shipped emergency patches and published indicators. Within days, exploit details — apparently leaked or independently reconstructed — became widely available, and a long tail of unrelated criminal groups began mass-scanning the internet, web-shelling every unpatched Exchange server they could find before defenders could close the door.
Estimates of compromised Exchange servers ran into the tens of thousands worldwide, including small businesses, local governments, and organizations with no security staff at all. The FBI eventually obtained a court order authorizing it to remotely remove web shells from infected US servers — an unusually aggressive remediation step that itself became a policy discussion.
What the chronicle remembers
ProxyLogon is the canonical example of disclosure-window risk: the gap between a patch becoming available and being applied is a race, and once an exploit is public, every actor on the spectrum runs it at once. The incident, weeks before the broader public absorbed SolarWinds, reinforced that on-premises edge software is a perennial mass-exploitation surface.