The Microsoft Exchange hack might be one of the worst breaches of all time – We need a new approach to email security

Proton Team

Share this page

Over the past two weeks, Microsoft clients using its Exchange servers, which includes tens of thousands of government agencies and private corporations around the world, have fallen victim to a series of hacks that have compromised their data. The breach started with a group of state-sponsored hackers attributed to China known as Hafnium, but more and more actors jumped into the fray after some of the exploits became public. 

This is a serious breach that has exposed private user data as well as corporate and state secrets, materially damaging many small and medium-sized businesses and undermining trust in many government agencies. It is also a prime example of how the current approach to user privacy and security is failing.

A timeline of the Microsoft Exchange Server hack

March 2: Microsoft announced that hackers, dubbed Hafnium, were using multiple 0-day exploits (i.e., previously undiscovered vulnerabilities) to remotely access its Exchange servers and steal data from its corporate and government users.

Essentially, these hackers took three steps and exploited four separate vulnerabilities:

  1. Hafnium gained access to Microsoft Exchange servers by taking advantage of stolen passwords and a previously undiscovered server-side request vulnerability to make itself appear to the Exchange server as someone who should have access.
  2. The attackers then created a web shell, or a backdoor that allows browser-based access to the server to anyone that knows the web shell’s URL. 
  3. Hafnium then used the web shells to execute malicious code on the server remotely. Once in, the attackers could steal data, escalate privileges, or hold data ransom.  

Microsoft responded by releasing emergency security patches for the affected systems (Exchange Server 2019-2013) and sent out a free patch to cover Exchange Server 2010, suggesting these vulnerabilities may have existed for the past 10 years. 

Two weeks after Microsoft’s initial announcement, experts estimated there were still tens of thousands of Microsoft Exchange Servers that needed to be patched. Furthermore, state-sponsored hackers had already begun exploiting sensitive systems well before Microsoft became aware of the problem. 

March 11: Microsoft detected that some of the servers compromised by Hafnium were being infected by a new type of ransomware known as DearCry. 

Multiple attackers began exploiting the same vulnerabilities as Hafnium to gain access to Microsoft Exchange Servers. They committed various attacks, including DearCry, which makes copies of target files, encrypts those copies, and then deletes the originals.

March 11 to March 15: The daily attacks attempted on Microsoft Exchange Servers increased 10 times, from roughly 700 to over 7200(new window)

Experts estimate that almost 60,000 organizations(new window) (and maybe even more) could have been affected, ranging from small and medium-sized businesses up to the European Banking Authority. The majority of the DearCry attacks have focused on government and military organizations, followed by manufacturing and financial services, while the most attacked country has been the US, followed by Germany and the UK.

Security is hard

Almost every major technology company has had significant security incidents in the past. Microsoft itself also has a long history of security vulnerabilities in its products. The lesson to take away from these attacks’ success is not that these organizations are negligent or incompetent, but that security is hard. 

In this incident, Microsoft was not attacked directly, but rather, hackers went after tens of thousands of organizations that run Microsoft Exchange software for their email. Regardless of whether it is Google, Microsoft, or their customers, cybersecurity is a form of asymmetric warfare. 

Defenders must protect all possible entry points, while attackers only need to find a single weakness to get in.

A successful defense therefore needs to have multiple layers of security so that if one layer is breached, successive layers can keep attackers away from sensitive business data. When it comes to email, Proton Mail achieves this by utilizing zero-access encryption(new window).

Whenever possible, Proton Mail encrypts an organization’s email on the client side. Even emails received from outside of an organization are encrypted before they are saved. The encryption is done in a way that prevents even Proton Mail itself from having the means to independently decrypt user data. This adds an extra layer of security because breaching a Proton Mail server does not necessarily expose user emails. Unlike in the case of Microsoft Exchange (or Gmail or any other regular email service that does not utilize zero-access encryption), a hacker would still need to find a way to decrypt the messages. 

You can’t expose data you don’t have access to

Proton Mail’s security model has prepared for a breach by investing in a technology that applies an extra layer of encryption to all messages on our servers.

Our zero-access encryption means we cannot access or read any user’s messages. Hackers cannot steal from us what we do not have access to. So even if Proton Mail ever were to be breached, a successful data exfiltration attack would be far harder to execute. 

So why don’t all companies protect their users’ data with end-to-end or zero-access encryption? For one, strong encryption is difficult to do. The technology that underpins Proton Mail required years of research and work and was developed by scientists from CERN under the scrutiny of the open source community and independent security audits. 

Then, there is also the issue of the business model a company uses. Corporations like Google make money by exploiting user data to sell ads. This is incompatible with technologies that prevent them from accessing user data, even if they are more secure. 

This is not the first major security breach, nor will it be the last. And there is no reason to single out Microsoft. In fact, such an incident would have been exponentially worse if it had happened to Google or Facebook due to the significantly larger amounts of sensitive personal information stored by those companies. Protecting against risks like this is one of the reasons that millions of individuals and small and medium-sized businesses have switched to Proton Mail. 

Encrypt all the data you can

Proton relies on user subscriptions for revenue, not leveraging our users’ data or selling access to advertisers. This makes us relatively unique among tech companies in that we do not need to access or abuse our users’ data for our business model to work. It’s not just better for privacy, it is better for security. We believe that this approach leads to a better internet that serves the interest of all people. 

Our vision is to make privacy the default on the internet and beyond Proton Mail(new window) with strong encryption. We’re also extending this approach to new services as well, applying similar protection to your schedule and files with the recently released beta versions of Proton Calendar(new window) and Proton Drive(new window).

Sign up now and take a step toward an internet that puts protecting your data first.


Feel free to share your feedback and questions with us via our official social media channels on Twitter(new window) and Reddit(new window).

Protect your privacy with Proton
Get a free account

Share this page

Proton Team

We are scientists, engineers, and specialists from around the world drawn together by a shared vision of protecting freedom and privacy online. Proton was born out of a desire to build an internet that puts people before profits, and we're working to create a world where everyone is in control of their digital lives.

Related articles

From having too many inboxes to manage to switching to a new email provider, there are many reasons why you’d want to delete your Gmail account. You might even be concerned that Google is abusing your privacy. Thankfully, you can delete your Gmail a
The first month of 2023 has brought brutal layoffs from Big Tech, a potential ban of TikTok in the US, and another Twitter breach. But the biggest development of this new year has to be the ascent of ChatGPT.  The chatbot can produce remarkably huma
Hackers were able to steal account details from over 200 million Twitter users and posted the database on a hacking forum in early January 2023. These details include users’ email addresses and Twitter handles, allowing people to potentially identify
From your online shopping receipts to financial statements, your emails contain a great deal of sensitive information about your life, interests, and daily schedule. If you’re concerned about your online privacy, it’s therefore vital to keep your inb
At Proton, we’re committed to building privacy-focused products that are convenient to use and improve your productivity. Last year, we released the new mobile apps for Proton Calendar and Proton Drive, letting you manage your schedule and upload imp
Most email services aren’t secure and limit attachment file sizes, but there are ways to send large files securely. If you’ve ever tried attaching multiple images or video files to an email, you’ll know that it doesn’t always work. We explain ways t