We have learned yet one more reason to refrain ourselves from sending confidential information through email. Yesterday, Microsoft released a statement confirming that zero-day vulnerabilities have been used in an effort to siphon emails from Microsoft Exchange servers.

HAFNIUM, a group of Chinese hackers that typically target U.S sectors including private business and government, used a remote execution vulnerability that allowed them to take over the servers without using any type of authentication and siphon emails. This was the result of the zero-day Microsoft vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Patches for these vulnerabilities have since been released.

Microsoft Exchange Server 2013, 2016, and 2019 are susceptible. Affected are Exchange servers in the cloud as well as self hosted servers. Even customers connecting to Microsoft’s own cloud hosted Exchange servers were vulnerable until after the patch was released. It is imperative that the patches are applied immediately to mitigate the issue.

This attacked represents one more reason that PCI and HIPAA regulations forbid confidential information such as credit card numbers, social security numbers, and other PII (Personal Identifiable Information) from being sent over email. Regardless of this particular vulnerability that was released, many email servers are still using old protocols such as POP instead of IMAP, or other secure protocols. The result of this means that many emails, even today, are still being sent through the wire (or air) using plain text protocols that allow a hacker to easily sniff from the wire using tools such as Wireshark. Companies need to continue enforcing policies which prohibit sensitive information being sent through email.

Click here for more information regarding Microsoft’s latest vulnerabilities.

Written by Michael Miller