Hafnium Puns

Hello,

Was wondering if someone could give me some advice.

The Exchange Server at the place I work has been compromised by the hafnium / zero day exploits and is now spamming emails out every other day. It is only a small company and the person who set the server up is no longer there, hence it was never patched (it is only on CU13). I have disconnected the Domain Controller machine and the machine running Exchange. I have stupidly / bravely agreed to do a clean install of Exchange on 2 new machines which the company have bought, so one as the DC and one with Exchange on. I'm no expert but due to the small size of the company and the way the network is set up I don't think it will be too much of a problem (no workstations actually sign into the domain, its purely used for Exchange only). 95% of the mailboxes from the exploited server it is absolutely fine if nobody ever has access to those emails ever again, but there are some mailboxes where it would be preferential if I exported them from the exploited server and imported them to the new one, but my question is does that come with any risks? I had a read up on the exploit and saw things to do with aspx files so I was thinking I would be ok importing mailboxes, but also I am weary of having anything come over from the old server to the new incase of any risks.

Thankyou.

I'm trying to include this little tidbit in my setting, but I can't quite figure out WHAT makes this not feasible in real life (so I can figure out a workaround).

Any smart person willing to shed some light?

An exchange 2016 box was hit by hafnium. Bad.

Essentially, it was patched (CU18), all the ps scripts (EOMT, proxy, etc.) were ran to clean it out and show no entries.

However we noticed later that our antivirus catches the .aspx files being randomly generated once every few weeks and clears them out.

We thought it was all okay, but it isn't. We went back to this guide here: https://msrc-blog.microsoft.com/2021/03/16/guidance-for-responders-investigating-and-remediating-on-premises-exchange-server-vulnerabilities/

We ran the web shells portion of the fix with the removal of the temp asp files commands, but once we did that, exchange ceased to work. We got an error accessing OWA saying NTAuthority\SYSTEM did not have access to: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files

Also, ECP wouldn't load and neither would outlook, at all. We had to copy the temporary files back to the folder to get exchange to work.

As I understand it, clearing that directory should've removed what keeps generating the random aspx files in inetpub, and rectified the issue.

Sidenote to that: InetPub\wwwroot is pretty much empty (there's some generic files and \aspnet_client\system_web\4_0_30319\ is totally empty

EOMT and the proxy scripts find nothing on a full scan. Windows Defender has found the following in just the past week: Name: Behavior:Win32/SuspExchgSession.E Name: TrojanDownloader:PowerShell/Inupe!MSR Name: TrojanDownloader:PowerShell/Inupe!MSR

At this point we are considering just building out a 2019 box and 2019 proxy box (we've never setup a proxy box) and migrating everything over.

Would this be the recommended move? Is there something I'm missing? Insert generic "I'm not an exchange expert" here.

Any expertise and help is greatly appreciated, this has been a struggle now for awhile.

so i got servers squared away. but bitD still showing and blocking about 15 workstations attempting to execute an autod_EMAIL.xml which doesnt appear to exist in indicated directory. its listed as a webshell exploit in bitD, but i assume part of the choppa payload. ive .old zipped and deleted original office and outlook folders in appdata and some in program86 and recreated mail profiles but seems to continue. any thoughts on remediation. all the articles only review server patch and remediation but nothing for workstations.

I logged into one of our exchange (2016) servers and saw CPU spiking. Looking at task manager I found two instances of an EXE running called "simple.exe" running from C:\Windows\System32\inetsrv. I uploaded this file to our Sophos portal for further review.

There are many webshells in the C:\inetpub\wwwroot\aspnet_client\ folder.

I checked a few other exchange servers we manage, hosted at completely different organizations, even ones that were brand new spun up post-Hafnium. A majority have webshells.

Has anyone else noticed this? Please let me know, check your environment. I haven't seen anything on r/sysadmin or Spiceworks about it.

Webshells were placed between 8/18 and 8/23. Mostly 8/21 to 8/23.

In Microsoft Security Script Repo there is a new (at least to me) script called CompareExchangeHashes.ps1 so just a heads up is there is somebody that haven't seen that (like me)

Quote from Microsoft

"This script provides a mechanism for malicious file detection on Exchange servers running E13, E16 or E19 versions. For more information please go to https://aka.ms/exchangevulns

The script currently only validates files in exchange virtual directories only, it does not check any files in the IIS root. This script needs to be run as administrator"

Edit - I can confirm that CompareExchangeHashes.ps1 script from 11 March 2021 (I tested from18:00h CET) makes sense - still I got some false positives. I can also see other people have some doubts about few files from that script, but it is far better than situation at the beginning of this script. I can recommend it at this point.

Edit 3: March 10 12:49h CET: If you are worried about integrity of some files (especially .aspx) and you would like to check hashes of those files inside Exchange installation - check this comment out, it might help you https://www.reddit.com/r/exchangeserver/comments/m16vzq/hafnium_breach_recap_new_compareexchangehashes/gqfq71e?utm_source=share&utm_medium=web2x&context=3

EDIT 4 10th March 2021 17:39h CET- POTENTIALLY IMPORTANT ONE - You can check if you been hacked, but before you click on link, please do your research whether you will trust this link or resource or not. That said - on this link - https://checkmyowa.unit221b.com/ you can check if you have been hacked in this latest breach. According to Allison Nixon from Unit 221 B they somehow got to the list of 86.000 IPs/domains that have been hacked in this breach. If you visit the link above, you can verify yourself by visiting website from the same IP on which you Exchange resides or by sending email to the domain that is potentially breached. I done it and I came up clean. I will update my blog with this info and screenshot, so you can check that out if you like before clicking on the above link.

One credible source that is reporting this also is [https://krebsonsecurity.com/2021/03/warning-the-world-of-a-ticking-time-bomb/](https://krebsonsecuri

Thanks to all who contributed to various threads about this horrid vuln.

The various comments and links posted were invaluable.

Hi all,

I have been responding to about 10 compromised servers, and this is what I have found so far.

There seems to be a pattern, where blocks of systems are hit at the same time, over the course of three hours. I was able to confirm this by running Datto insights on clean and dirty backups. (I am a Datto shop, with appliances holding 3 months retention)

During this 3 hour block, one (or more) of three files will be dropped into inetpub\wwwroot\aspx_client. Load, Discover, Supp0rt. When the files are created, it indicates that a payload was dropped by injecting javascript into your exchange URLs. After injecting the payload, they null out the link, breaking said service, but giving you the option to patch, without them being able to reinject (presumably).

At this point, I have reset PWs, patched servers, and assured the OAB, Discover, and load links are not still the payload (luckily all were null, and have been repaired). I am hesitant to roll back, as some of my clients may lose 6 days of emails. And for a few clients, 6 days of email, and files, and AD changes.

1. With this in mind, has anyone found other files or other edited files?
2. Has anyone found indicators of a rootkit?
3. Has anyone found indications of what the initial javascript payload was achieving?

I checked the BCD logs, and the changes were made by my backup, so I think the rootkit lane is less likely.

I also compared backups for essentially the whole inetpub folder, and have only found changes to some ECP log entries (which indicated the exploit) and changes to the aspx folder (where load, discover, and supp0rt are left behind)

I am currently comparing system32. and am deciding what else to compare. If I find anything I will update.

Just received one of these from Cox. They said they sent out thousands of these today.

Well all of this has been just fun hasn't it? I wanted to share some of the things I found on my LAB server that was compromised but it appear none of my production servers were. On my production servers I can see the pings but I have not been able to find anything else. I'm still not 100% convinced though, so I am still looking!

First things first, the Microsoft scripts:

https://preview.redd.it/428fex3cyel61.png?width=958&format=png&auto=webp&s=333aedd190e0866d2a2e87b57d157944a6b9f43c

Since it looks like they pinged our server I started checking the directories Microsoft has recommended and found some hits:

https://preview.redd.it/k27096jkyel61.png?width=771&format=png&auto=webp&s=81f7589f2e21d5591a074b139e13a036dad8ec29

https://preview.redd.it/nse0w4r4zel61.png?width=660&format=png&auto=webp&s=e8a65f496cd33483d5c16bb38780141d69b25c20

I feel at this point I should put a disclaimer that I don't REALLY know what the hell I am doing. Ok so that is over with.

Another good idea is searching the system for files last written within a certain timeframe. I did the last 30 days for ASPX and JS:

https://preview.redd.it/050kkiqgzel61.png?width=1003&format=png&auto=webp&s=ec9836ef3e81d38d192d5719dc38d91fc6b8a8a4

https://preview.redd.it/yrxmmweozel61.png?width=1009&format=png&auto=webp&s=632d573b371be2622dd0c65403c6742b2e69a665

Here is the list of files I found if you wanted to take a look at the contents:

https://drive.google.com/file/d/1c6U1sVTjXq7OoPiAlZXTHDMmgYH2sdmT/view?usp=sharing

The password to open the zip is: MicrosoftSux

--------------------------------

Sadly on our LAB environment we were not keeping a long history of firewall logs, so I wasn't able to gather any.

I also wanted to point out some things and some things I have questions on:

• It appears they may have placed some files to prepare for the hack because notice how the first file appeared at 3/3 and the rest on 3/4 and then 3/5.
• If you were hacked and you had to apply a CU in order to apply the security fix, will it wipe out all of these files? I actually cannot test this on our lab environment because we were already on 2019 CU8. I will take a snapshot and try this on CU9. I know when we implement the installers for some of our custom applications it will wipe out directories and then place the latest files in them. Just curious

Hi all, we're the creators of the https://checkmyowa.unit221b.com/ website that was discussed in another thread here. We are looking for feedback from victims so we can better understand the data we're working with. In the interest of not duplicating content, the full thread with content is here: https://www.reddit.com/r/exchangeserver/comments/m2mn6o/creators_of_checkmyowa_seeking_feedback_and/

Product affiliation disclosure: My company set up this website as an experiment in victim notification and for other reasons enumerated in that thread. We don't do anything with Exchange servers, and I can't think of anything we do that you would want to spend money on. Our sales guy hates me.

I just thought I'd update the community having pulled at our server for two days and get the info I had out there.

In additon to the PwnDefend IP list of malicious actors, the list on BlueTeamBlog and the list on Cisco Talos I've found the following:

• 104.225.219[.]16
• 159.89.95[.]163
• 198.50.168[.]176
• 45.154.2[.]94
• 34.87.113[.]30
• 185.173.235[.]172
• 185.173.235[.]54
• 185.65.134[.]165 <--- Attempted "x.js" POST within last 16hrs

A number of people seem to have findings from Microsoft's excellent Test-ProxyLogon.ps1 showing attempts to call "/ecp/x.js" but showing no sign of it on their system. My going theory at the moment is that this could be some form of initial attack vector potentially either: dropped by one team with a second coming in for exploits later; or dropped during the inital exploit by the real attackers and a number of copycats or security researchers looking for previously compromised boxes. There is an explanation of that here. Seems "GET" isn't that big an issue but "POST" could be. Our logs indicate we had a number of "checks" on our system prior to patching, without that file in-situ.

Our IIS logs indicate the IP above attempting to POST "/ecp/x.js" late yesterday, just a couple of hours after we'd patched. The command that will scan your logs for this is as follows, where you can replace the string pattern with any letter of .js that appears in your results from Test-ProxyLogon.

GET-CHILDITEM c:\inetpub\logs\LogFiles\W3SVC1 -recurse | SELECT-STRING -pattern "/ecp/x.js" | export-csv -append -path "c:\logs\hits1.csv"

Hope this helps someone

Will try to also put this here because r/sysadmin has broader reach then r/exchangeserver

I already incorporated this into my earlier post, but maybe for better visibility I opened new post.

Please, before you go further and just click on link - establish that you believe source and that you wish to proceed.

EDIT 11 March 2021: CREATOR OF THE SITE OPENED REDDIT THREAD HERE, please head there and give more info, especially those of you who had potentially positive or positive results. - https://www.reddit.com/r/exchangeserver/comments/m2mn6o/creators_of_checkmyowa_seeking_feedback_and/

EDIT 11 March 2021: Creator of the site is active in this thread, so you can read what they said, and also I hope they will stay engaged in this thread to clarify potential doubts - https://www.reddit.com/r/sysadmin/comments/m22hl7/you_can_now_check_if_you_have_been_hackedbreached/gqjd8ob?utm_source=share&utm_medium=web2x&context=3

My credible source which reported this website is https://krebsonsecurity.com/2021/03/warning-the-world-of-a-ticking-time-bomb/

Now, that we got disclaimer out of the way - thanks to Unit 221B for their effort and time on this - this is the link on which you can do check - https://checkmyowa.unit221b.com/

If you visit that link from the public IP on which is your exchange server, you will get pop-up from the website if you have been breached. If you are clean - you will not get anything. Important thing is you visit from public IPs on which your Exchange is on (MX record IP/ OWA public IP if it is easier to understand that way. )

Other method is to scroll down the site and enter your email address (it should be on a domain you suspect is breached) - you will get email - I got my report in SPAM, but I got it.

First method, by doing it with IP address and visiting website is better, because mostly there are breached IPs on the list.

I done both and my results are clean.

According to Allison Nixon from Unit 221B there should be 86.000 IPs on that list, so if you were breached in first wave, there are good chances that y

Hi guys and gals,

I’d like to ask for some help with the current Exchange crisis. Little bit of background, I’m just a lowly PC Specialist who’s very new to server things.

I’m afraid my Sys Engineer coworker isn’t knowledgeable enough to correctly deal with this issue and is downplaying what’s going on because he doesn’t know how to deal with it.

So I’m going way beyond my job description here in trying to figure this thing out.

So we’re running Exchange 2019 CU5 on Server 2019.

I’ve ran the Test-ProxyLogin.ps1 script and immediately I’m running into snags due to the limits of my knowledge. When I run the script in Powershell ISE as is without entering anything, I get a bunch of results back related to the CVE-2021-26855 exploit.

I’d like to output this somewhere, so I can view it outside of Powershell. I can’t for the life of me figure out where/how to enter an output path. Any tips in regards to this?

Furthermore, when I’m opening the HTTPProxy logs I get a massive word jumble. On the blogpost where I found the Test-ProxyLogin.ps1 script there was another example Powershell command that supposedly crawls the logs and raises the entries with the suspicious activity. If I copy/paste that into Powershell and run it, it runs.... but where does the result go? I’m assuming I need to give it a valid input path, which I do recognize in the command, but that raises in me a question: There are no logs directly int the HTTPProxy folder, which is the folder the input path refers to. Do I need to expand on that path by telling it which sub folder and individual log file it should check?

And again, you’ve probably guessed it by now; where does it get outputted? Or do I need to provide a path for that, and if so, how do I do that? I experimented a bit by putting ‘ | -OutPath “C:\Users%username%\Desktop\log.txt” in there, but that just gives me an empty text file on my desktop. What am I doing wrong?

Apologies for the lack of knowledge on my end, like I said, I’m just a PC Specialist, server work is relatively foreign to me, let alone scripting work and Powershell. Massive thanks to this sub for making me aware of the attacks in the first place, hadn’t I seen that we probably wouldn’t even have been patched yet. I just wish my coworker wasn’t -at least in my eyes- dropping the ball. Up to me now, I guess.

Any help would be greatly greatly appreciated!

Edit; I ran the MSERT tool this morning, which told me it hadn’t found anything.

HAFNIUM targeting Exchange Servers FAQ: https://docs.microsoft.com/en-us/answers/questions/298536/faq-for-march-2021-exchange-server-security-update.html

The Exchange Server team has created a script to run a check for HAFNIUM IOCs to address performance and memory concerns. That script is available here: https://github.com/microsoft/CSS-Exchange/tree/main/Security.

HAFNIUM Exchange test script:

Checking for CVE-2021-26855 in the HttpProxy logs

• WARNING: Suspicious entries found in C:\Program Files\Microsoft\Exchange Server\V15\\Logging\HttpProxy. Check the .\CVE-2021-26855.csv log for specific entries.

Checking for CVE-2021-26858 in the OABGenerator logs

• No suspicious entries found.

Checking for CVE-2021-26857 in the Event Logs

• No suspicious entries found.

Checking for CVE-2021-27065 in the ECP Logs

• WARNING: Suspicious virtual directory modifications found in the following logs, please review them for "Set-*VirtualDirectory" entries:

Checking for suspicious files

• No suspicious lsass dumps found.

If the system might be compromised, what needs to be done after applying the Exchange security updates?

I have joined another VM as part of my DAG. I have the following patches:

- KB5000871

- KB5001779

- KB5003435

Do I need any more patches? Recommendations post HAFNIUM.

Has anyone seen any blogs, guides or tools that tell us how to detect lateral infections to other servers?

I'll admit to not doing my own searching. But it's 01.30 and I have been reading too much about HAFNIUM tonight and can hardly see straight.

Someone didn’t patch exchange fast enough.

https://www.bleepingcomputer.com/news/security/computer-giant-acer-hit-by-50-million-ransomware-attack/

Personally I'm sick and tired of this Hafnium. First the official articles from MS are pointing to some github repo with some script, which are full of bugs, poorly written and for the most part they don't even work!

Missing hash bundles and stuff and 3 days - again 3 days the great company Microsoft can't upload 20 bundles with hashed of their product - ridiculous.

They are now suggesting that you can get the hashes out of the installation iso files - again - HELLO Microsoft, how many employees do you need to do that for 50 version in your "great" cloud environment. https://github.com/microsoft/CSS-Exchange/issues/313

Absolute joke!

The impacted number of exchange servers is far greater than what they are saying. Out of 20 exchange servers that I have tested only 2 are not infected. You can do the math.

Obviously MS guys are lacking the needed sense of urgency to help their customers atm.

Absolute joke!

Does anyone have a resource to assist in the review of the various Exchange Server logs associated with the HAFNIUM attacks? Or provide an explanation for the various logs,

ECPServer,

Autodiscover

HttpProxy\Owa\HttpProxy

HttpProxy\RpcHttp\HttpProxy

LocalQueue\Exchange\audit

MapiHttp\Mailbox\MapiHttp

The IOCs let you know if the server is compromised, but trying to figure out what actions were taken based on the Exchange Logs isn't talked about.

Some questions about this somewhat simplistic "redeploy Exchange" cure-all I read about as the "fer sher fix" everywhere. 🤔 I don't get it. How do you know that'll do it? 🤨 That that will take care of the issue of possible exploits hiding across your domain's servers because of the compromise to your Active Directory? A compromise I've also read can "pretty much be guaranteed to be there." Those compromises leading to exploits, those exploits leading to, among other bad things, allowing for rootkits to be installed.

SOOOOO... We go through the trouble of ...

- standing up a new Windows server and fully updating it,

- joining it to an Active Directory domain because you can't install Exchange without it being a part of the domain (immediately compromising it, if you're to believe some of the capabilities of these exploits),

- installing Exchange and updating to the latest/running the security patches (one might also wonder if it's do-able to go about installing Exchange while not being connected to the network and immediately being compromised by the latest hacker group to be pushing this crap),

- migrating all of the databases over from the "bad" Exchange server (I'm guessing via external USB drive because we're supposed to take the compromised server off the 'net),

- hoping the bad guys didn't simply plant exploits in the databases for this very purpose,

- Finally, everything is cherry and we don't worry another second about it, we sleep great at night. 😐

When in reality the new box you just spent a day on is possibly already infected with the exact same exploits and issues and God-knows-what-else that the old one had. Not that you'll know for sure.

If you're serious about "nuking it from orbit, just to be sure" - doesn't that REALLY mean wiping out EVERYTHING?  Active Directory.  Exchange.  All server boxes on your domain that might have rootkits and other unfound exploits on them get tossed in the garbage and new ones have to be bought as replacements?  Everything gets started from ground zero, from scratch because we can't trust backups because who knows how far back this really goes?  Who knows if the rootkits will ever be found and a way determined to remove them? 🤨

Or do you watch and run scripts to screen for weirdness with user accounts and groups, read the latest from the boys deep in the weeds investigating this and hope they get to the bottom of everything with a guaran-damn-teed way to find and remove ev

CU installed, and security patch all good. Ran w/elevation. Mailflow, ECP, OWA all look great. But outlook client now doesn't connect as it doesn't like the certificate. Anyone want to pitch in?

Save me combing through KBs about assigning thumbprints to services etc.

I have an Exchange 2016 server that was hit and I am investigating, but I am not an Exchange Admin. We know have the IOCs, several webshells and the attackers did delete the Administrator account was removed from the Exchange Organization Administrators.

The big questions is was any email accessed and exported. I don't find any evidence of mailbox exports, 7 zip files, etc., but I am hoping someone could tell me what are some other ways that the attackers could have been able to access, read and download email messages? And what logs would help determine this?

I was hoping by now there would be more information about the post exploitation email access, but I still haven't found anything. Has anyone had or seen an incident that they definitely know mailboxes or email messages were accessed and/or exported?

Hi.

I am working on an Exchange 2016 server that seems to have been breached by the HAFNIUM hack. We have of course installed the hotfix and have also run the MSERT scan tool to remove the .aspx files.

I noticed the antivirus kept blocking a "W32/PowerShellStager.B" powershell.exe application with around 45 minute gaps. So i started looking for Scheduled tasks. And more specifically the "Winnet" task that several has mentioned. In the task Scheduler main window under "Task Status" I found that a task with the name "Winnet" had been running at exactly the same time as our antivirus blocked the powershell application.

https://preview.redd.it/btp935v5h8m61.png?width=1007&format=png&auto=webp&s=2603bc5856a148cf25b140772c0136be9b45eb06

But now comes the strange / annoying part. I am unable to find that task anywhere in the Task Scheduler Library.

https://preview.redd.it/ozi0p32fh8m61.png?width=975&format=png&auto=webp&s=f37f327033b13614e95816fedf6a35ba211f05f5

If i look in registry editor i can find the following key:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Winnet.

https://preview.redd.it/b8pivxtsh8m61.png?width=1158&format=png&auto=webp&s=e0c4de113f3ca0a715738ecc4c29bebf66fa8c2a

I also found the following key which seems to contain the task:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EB1D4383-B2CF-49FB-B889-ED3F83C9703E}

https://preview.redd.it/iamajurei8m61.png?width=1191&format=png&auto=webp&s=d2ca2b00df7dcb35dd59963e680b6de6b9d5f479

I also noted here that the "Author" is "SYSTEM" So i thought that maybe if i run task scheduler as the "SYSTEM" user i could be able to see it, but that did not seem to work either. Of course i could maybe just delete the registry keys, but i would like to see what the task is actually doing.

Any good ideas? :)

In Microsoft Security Script Repo there is a new (at least to me) script called CompareExchangeHashes.ps1 so just a heads up is there is somebody that haven't seen that (like me)

Quote from Microsoft

"This script provides a mechanism for malicious file detection on Exchange servers running E13, E16 or E19 versions. For more information please go to https://aka.ms/exchangevulns

The script currently only validates files in exchange virtual directories only, it does not check any files in the IIS root. This script needs to be run as administrator"

Edit - I can confirm that CompareExchangeHashes.ps1 script from 11 March 2021 (I tested from18:00h CET) makes sense - still I got some false positives. I can also see other people have some doubts about few files from that script, but it is far better than situation at the beginning of this script. I can recommend it at this point.

Edit 6: March 10 12:49h CET: If you are worried about integrity of some files (especially .aspx) and you would like to check hashes of those files inside Exchange installation - check this comment out, it might help you - https://www.reddit.com/r/sysadmin/comments/m16y8m/hafnium_breach_recap_new_compareexchangehashes/gqfpxtc?utm_source=share&utm_medium=web2x&context=3

EDIT 7 10th March 2021 17:39h CET- POTENTIALLY IMPORTANT ONE - You can check if you been hacked, but before you click on link, please do your research whether you will trust this link or resource or not. That said - on this link - https://checkmyowa.unit221b.com/ you can check if you have been hacked in this latest breach. According to Allison Nixon from Unit 221 B they somehow got to the list of 86.000 IPs/domains that have been hacked in this breach. If you visit the link above, you can verify yourself by visiting website from the same IP on which you Exchange resides or by sending email to the domain that is potentially breached. I done it and I came up clean. I will update my blog with this info and screenshot, so you can check that out if you like before clicking on the above link.

One credible source that is reporting this also is [https://krebsonsecurity.com/2021/03/warning-the-world-of-a-ticking-time-bomb/](https://krebsonsecurity.com/2021/03/

I already incorporated this into my earlier post, but maybe for better visibility I opened new post.

Please, before you go further and just click on link - establish that you believe source and that you wish to proceed.

My credible source which reported this website is https://krebsonsecurity.com/2021/03/warning-the-world-of-a-ticking-time-bomb/

EDIT 11 March 2021: CREATOR OF THE SITE OPENED REDDIT THREAD HERE, please head there and give more info, especially those of you who had potentially positive or positive results. - https://www.reddit.com/r/exchangeserver/comments/m2mn6o/creators_of_checkmyowa_seeking_feedback_and/?utm_source=share&utm_medium=web2x&context=3

EDIT 11 March 2021: Creator of the site is active in this thread, so you can read what they said, and also I hope they will stay engaged in this thread to clarify potential doubts - https://www.reddit.com/r/exchangeserver/comments/m22bap/you_can_now_check_if_you_have_been_hackedbreached/gqjilb7?utm_source=share&utm_medium=web2x&context=3

Now, that we got disclaimer out of the way - thanks to Unit 221B for their effort and time on this - this is the link on which you can do check - https://checkmyowa.unit221b.com/

If you visit that link from the public IP on which is your exchange server, you will get pop-up from the website if you have been breached. If you are clean - you will not get anything. Important thing is you visit from public IPs on which your Exchange is on (MX record IP/ OWA public IP if it is easier to understand that way. )

Other method is to scroll down the site and enter your email address (it should be on a domain you suspect is breached) - you will get email - I got my report in SPAM, but I got it.

First method, by doing it with IP address and visiting website is better, because mostly there are breached IPs on the list.

I done both and my results are clean.

According to Allison Nixon from Unit 221B there should be 86.000 IPs on that list, so if you were breached in first wave, ther