Mar 8, 2021 Following Microsoft’s news about Hafnium, IT Security company Sophos has been closely monitoring the issue and is providing regular advice on how organizations should threat hunt and mitigate the attack/potential attack. Microsoft has detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to Hafnium, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.