Binary Defense is aware of four serious vulnerabilities in Microsoft Exchange servers that are being actively exploited by threat actors. The vulnerabilities affect Exchange Server 2013, 2016 and 2019. The exploit results in remote code execution without any authentication, allowing attackers to steal email messages or install web shells. All organizations that have Microsoft Exchange servers on premesis should apply the four emergency out of band patches that Microsoft has made available (https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/) without delay, and should examine access logs to determine whether any exploitation has already occurred. Even after the Exchange server has been patched, any web shells that have been installed may persist.
The Microsoft Security blog referenced below has detailed advice and threat hunting queries for detecting post-compromise activity on affected Exchange servers:
The reported attacks in the wild have been limited and highly targeted. It is likely that threat actors will quickly reverse-engineer the security patches to spread the exploit more broadly, and when that happens it will present a more urgent threat. The exploits require that the Microsoft Exchange server expose port 443 to untrusted connections. As a temporary mitigation, access to port 443 of Exchange servers can be blocked from all but known and expected IP addresses.