Published Saturday, July 04, 2026 at 01:05 AM PT

BLUF: Multiple on-premises Microsoft Exchange servers are being actively exploited in coordinated attacks. Organizations running Exchange Server must immediately verify patch status and monitor for unauthorized access. Huntress MDR has detected and is responding to active exploitation campaigns.
DETAILS:
- Active exploitation targeting on-premises Exchange Server infrastructure confirmed across multiple customer environments
- Attack pattern indicates coordinated, widespread campaign rather than isolated incidents
- Huntress threat hunting and rapid response teams are actively engaged in incident response operations
- Initial access vectors and specific CVEs involved: details limited pending full technical analysis
- Timeline suggests ongoing exploitation activity with continued threat actor activity
IMPACT:
- Organizations with unpatched on-premises Exchange deployments are at immediate risk
- Affected scope includes small-to-mid-market businesses and enterprises relying on legacy Exchange infrastructure
- Potential compromise vectors include email access, lateral movement capability, and persistent backdoor installation
- Business email compromise and data exfiltration are primary concern vectors
RECOMMENDED ACTIONS โ IMMEDIATE:
- Verify patch status โ Confirm all on-premises Exchange servers are current with latest security updates from Microsoft
- Enable logging and monitoring โ Activate Exchange mailbox audit logging and review recent administrative actions for anomalies
- Check for indicators of compromise โ Review web shells, suspicious transport rules, and unusual mail forwarding rules
- Isolate if compromised โ Disconnect affected servers from network if active exploitation is suspected
- Engage MDR/incident response โ Contact your security operations team or managed detection and response provider immediately
SOURCES:
- Huntress Rapid Response Team (active incident response operations)
- Blue team detection and threat hunting analysis
Note: This alert reflects confirmed exploitation activity. Technical indicators and specific vulnerability details are being developed as analysis continues.
