What is Cymulate's Microsoft Exchange APT exploit simulation?

Cymulate provides a full proof-of-concept (PoC) simulation of the Microsoft Exchange APT attack (HAFNIUM) for customers. This simulation allows organizations to test and validate their defenses against the real-world techniques used in the attack, including exploitation of zero-day vulnerabilities and post-exploitation activities such as web shell deployment and privilege escalation.

How does Cymulate help organizations defend against Microsoft Exchange APT attacks?

Cymulate enables organizations to run immediate threat attack simulations and a full PoC of the Chinese APT attack in its Purple Team module. This helps security teams assess their defenses, validate remediation efforts, and identify gaps in protection against advanced persistent threats targeting Microsoft Exchange.

What research tools did Cymulate use to reverse engineer the Microsoft Exchange APT attack?

Cymulate Labs used tools such as socat proxy for backend communication logging, certificate export and manipulation, and code diffing between vulnerable and patched DLLs to identify the root causes of the vulnerabilities (e.g., CVE-2021–26855 and CVE-2021-27065). These methods enabled the creation of accurate attack simulations for validation purposes.

How can organizations validate their remediation efforts for Microsoft Exchange vulnerabilities?

Organizations can validate their remediation efforts by running Cymulate's PoC simulation of the Microsoft Exchange APT attack. This ensures that patches and security controls are effective and that no backdoors or compromised accounts remain after remediation.

What are the key steps for defending against Microsoft Exchange APT attacks?

Key steps include patching Exchange servers, reviewing and resetting all administrative accounts, monitoring for unusual activity, and validating defenses with Cymulate's attack simulations. It's important to note that patching alone does not remove existing backdoors or compromised accounts.

What is the significance of the X-BEResource cookie in the Microsoft Exchange exploit?

The X-BEResource cookie is a critical component in the CVE-2021–26855 vulnerability. It allows attackers to craft requests that bypass authentication and access backend Exchange services, enabling further exploitation and lateral movement within the environment.

How does Cymulate's Exposure Validation module support APT attack defense?

Cymulate's Exposure Validation module enables organizations to run advanced security testing, including custom attack chains and immediate threat simulations. This helps teams quickly assess their exposure to APT techniques and validate the effectiveness of their security controls.

What are the risks of not validating Microsoft Exchange remediation efforts?

Without validation, organizations may remain vulnerable to persistent backdoors, unauthorized accounts, and ongoing exploitation by both nation-state and criminal actors. Cymulate's simulations help ensure that remediation is complete and effective.

Where can I find official guidance on mitigating Microsoft Exchange vulnerabilities?

Official guidance is available from the US Department of Homeland Security CISA (https://us-cert.cisa.gov/ncas/alerts/aa21-062a) and Microsoft (https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/).

How does Cymulate empower organizations to stay ahead of APT threats?

Cymulate empowers organizations by providing continuous assessment, threat simulation, and validation of security posture. Its platform enables proactive identification of vulnerabilities and rapid validation of defenses against advanced persistent threats.

What is the role of the Purple Team module in Cymulate?

The Purple Team module in Cymulate allows organizations to run full PoC simulations of advanced attacks, such as the Microsoft Exchange APT exploit, enabling collaborative testing and validation between red and blue teams.

What is the recommended remediation process after a Microsoft Exchange APT attack?

The recommended process includes patching, reviewing all accounts, resetting administrative passwords, monitoring for unusual activity, and validating with Cymulate's PoC simulation to ensure no backdoors or unauthorized accounts remain.

How does Cymulate's platform help with lateral movement detection?

Cymulate's Attack Path Discovery module automates testing for lateral movement, helping organizations identify and mitigate risks of privilege escalation and unauthorized access across their environment.

What is the impact of the Microsoft Exchange APT attack on organizations?

The attack affected around 60,000 companies globally, leading to widespread exploitation, persistent backdoors, and increased risk of data exfiltration and further compromise by multiple threat actors.

How does Cymulate support custom attack chain creation?

Cymulate Exposure Validation makes building custom attack chains fast and easy, providing a user-friendly interface for security teams to simulate complex, multi-stage attacks and assess their defenses.

What is the benefit of running immediate threat simulations with Cymulate?

Immediate threat simulations allow organizations to quickly assess their exposure to the latest attacks, validate the effectiveness of their controls, and prioritize remediation efforts based on real-world risk.

How does Cymulate's platform contribute to continuous security improvement?

Cymulate's platform enables continuous assessment and validation, helping organizations identify gaps, measure improvements, and adapt defenses to evolving threats through regular testing and actionable insights.

Where can I learn more about Cymulate's Exposure Validation capabilities?

You can learn more by visiting the Exposure Validation data sheet and related solution briefs on the Cymulate website.

How can I schedule a demo to see Cymulate in action?

You can schedule a personalized demo by visiting https://cymulate.com/schedule-a-demo/ to see how Cymulate can help your organization validate and strengthen its security posture.

What is Cymulate's mission and vision?

Cymulate's mission is to transform cybersecurity practices by enabling organizations to proactively validate their defenses, identify vulnerabilities, and optimize their security posture. The vision is to create a collaborative environment for lasting improvements in cybersecurity strategies. Learn more.

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams in organizations of all sizes and industries, including finance, healthcare, retail, and more. See more.

What are the key features of Cymulate's platform?

Cymulate offers continuous threat validation, a unified platform combining Breach and Attack Simulation (BAS), Continuous Automated Red Teaming (CART), and Exposure Analytics, attack path discovery, automated mitigation, AI-powered optimization, complete kill chain coverage, ease of use, and an extensive threat library with over 100,000 attack actions updated daily. Learn more.

Does Cymulate integrate with other security tools?

Yes, Cymulate integrates with a wide range of security technologies, including Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, Cisco Secure Endpoint, CrowdStrike Falcon, Wiz, SentinelOne, and more. For a full list, visit the Partnerships and Integrations page.

How easy is Cymulate to implement and use?

Cymulate is designed for quick, agentless deployment with no need for additional hardware or complex configurations. Customers can start running simulations almost immediately, and the platform is praised for its intuitive interface and actionable insights. Schedule a demo to see for yourself.

What feedback have customers given about Cymulate's ease of use?

Customers consistently praise Cymulate for its ease of use, intuitive dashboard, and accessible support. For example, Raphael Ferreira, Cybersecurity Manager, said, 'Cymulate is easy to implement and use—all you need to do is click a few buttons, and you receive a lot of practical insights into how you can improve your security posture.' Read more testimonials.

What security and compliance certifications does Cymulate hold?

Cymulate holds SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1 certifications, demonstrating adherence to industry-leading security and privacy standards. Learn more.

How does Cymulate ensure data security and privacy?

Cymulate uses encryption for data in transit (TLS 1.2+) and at rest (AES-256), secure AWS-hosted data centers, a tested disaster recovery plan, and a dedicated privacy and security team including a DPO and CISO. The platform also supports 2FA, RBAC, and IP restrictions. More details.

What educational resources does Cymulate provide?

Cymulate offers a Resource Hub, blog, webinars, e-books, and a glossary of cybersecurity terms. These resources help users stay informed about the latest threats, research, and best practices. Visit the Resource Hub.

How often is Cymulate's threat library updated?

Cymulate's threat library is updated daily, ensuring that organizations can test their defenses against the latest threats and attack techniques. Learn more.

What is Cymulate's pricing model?

Cymulate uses a subscription-based pricing model tailored to each organization's needs. Pricing depends on the chosen package, number of assets, and scenarios selected. For a custom quote, schedule a demo.

What problems does Cymulate solve for security teams?

Cymulate addresses challenges such as fragmented security tools, resource constraints, unclear risk prioritization, cloud complexity, communication barriers, inadequate threat simulation, operational inefficiencies in vulnerability management, and post-breach recovery challenges. See case studies.

How does Cymulate help with vulnerability management?

Cymulate automates in-house validation between penetration tests, prioritizes vulnerabilities based on exploitability, and provides actionable insights for efficient remediation. Learn more.

What measurable outcomes have customers achieved with Cymulate?

Customers have reported up to an 81% reduction in cyber risk (Hertz Israel), a 52% reduction in critical exposures, a 60% increase in team efficiency, and a 20-point improvement in threat prevention. Read customer stories.

How does Cymulate support different security personas?

Cymulate tailors its solutions for CISOs (metrics and strategy alignment), SecOps (automation and efficiency), red teams (offensive testing), and vulnerability management teams (validation and prioritization). Learn more.

What case studies demonstrate Cymulate's effectiveness?

Case studies include Hertz Israel (81% cyber risk reduction), a sustainable energy company (cost-effective pen testing), Nemours Children's Health (cloud visibility), and Saffron Building Society (compliance and governance). Explore case studies.

How does Cymulate compare to other security validation platforms?

Cymulate stands out with its unified platform, continuous threat validation, AI-powered optimization, complete kill chain coverage, ease of use, and daily updated threat library. It is recognized as a market leader by Frost & Sullivan and a Customers' Choice in Gartner Peer Insights 2025. See comparisons.

How does Cymulate's attack library compare to competitors like Mandiant Security Validation?

Cymulate provides the largest attack library with daily updates, ensuring always-current attack scenario knowledge. In contrast, Mandiant Security Validation rarely expands its attack scenario library. Learn more.

What support options are available for Cymulate customers?

Cymulate offers email support, real-time chat support, a knowledge base, webinars, e-books, and an AI chatbot for technical queries and best practices. Contact support or join a webinar.

Where can I find Cymulate's latest news, research, and events?

Stay updated via the Cymulate blog, newsroom, and events & webinars page for the latest threats, research, and company news.

Where can I find a central hub for Cymulate's resources?

All resources, including insights, thought leadership, and product information, are available in the Cymulate Resource Hub.

Does Cymulate provide content on preventing lateral movement attacks?

Yes, Cymulate has a blog post titled 'Stopping Attackers in Their Tracks' that discusses lateral movement attacks and prevention strategies. Read the blog post.

Inside the APT Attack on Microsoft Exchange: Techniques, PoC & Defense Strategies

By: Cymulate

Last Updated: July 13, 2025

On March 2^nd Microsoft announced that a Chinese Nation-State actor they called HAFNIUM had been utilizing four zero-day vulnerabilities on-premises version of Microsoft Exchange. Microsoft and other researchers say that the Chinese government had successfully penetrated and expanded into around 60,000 companies, globally. Microsoft released a patch on the same day of the announcement. Being well thought out and planned, the attack established backdoors that remain even if the breach is remediated. Furthermore, beyond the direct attack, researchers are already finding that other criminal groups have taken advantage of the now known vulnerabilities. They have found as of last Friday, March 5^th multiple web shells per target due to “automated deployment or multiple uncoordinated actors.”

Cymulate Labs has since released two Immediate threat attack simulations for customers to challenge and assess their defenses in addition to a full PoC of the Chinese attack in the Purple Team module as described below.

Full PoC and The Research Behind The Attack

A simulation of the APT attack is now available for Cymulate customers. Read on to understand how Cymulate labs reverse engineered the attack so that they can validate their protections

Research Tools

Socat proxy:

In order to better understand the inner communication of the exchange server to its backend services, we employed the socat proxy in order to log all of the requests the server was making to the local 444 port. The first thing we had to do is to change the IIS binding of the backend services from port 444 to a local port 1234:

Then, we export the Exchange Server certificate:

If you have a problem exporting the original certificate you can create one of our own and export it to a pfx file for use in the simulation.

After getting the pfx file, we create the relevant key and certificate:

openssl pkcs12 -in <path_to_pfx> -nokeys -out exchange.pem

openssl pkcs12 -in 'CERT_SYSTEM_STORE_LOCAL_MACHINE_My_1_Microsoft Exchange.pfx' -nocerts -out exchange-key.pem

The resulting files can then be used in socat:

socat -v openssl-listen:444,cert=exchange.pem,key=exchange-key.pem,verify=0,reuseaddr,fork openssl-connect:127.0.0.1:1234,verify=0 1> <socat_logfile> 2>&1

Now, every connection made to a local backend service is logged to a log file of your choosing Diffing:
One extremely effective way to finding the relevant code responsible for the vulnerability, is diffing the decompiled source code from both the dlls from the vulnerable server, and the dlls from the patch.

Which brings us straight to CVE-2021–26855:
By using the diff technique, and by using references from previous research on the subject (we’ll link it below), we were able to detect that a few changes were made to the DLL Microsoft.Exchange.FrontEndHttpProxy, especially in the class BEResourceRequestHandler.

This class is responsible for handling specific resource-types requests, and it implements a method named CanHandle ()

which checks for the following:

The use of a special cookie called X-BEResource.
The request ends with a resource file.

If both are true, the cookie is then given to the BackEndServer.FromString () method for further inspection of the relevant backend server.
The method looks for a “~” in the cookie, and splits the request in half, using the first half as the path to the backend server and the second half as “version”.

By examining the GetTargetBackEndServerUrl () we get a better understanding of the correct schema for this cookie:

FQDN/<backend service>~<version>, and the resulting url is as follows: https://FQDN/<backend service>:444/<original resource-file>.

And so, the final request looks something like this:

Apart from minor authentication issues, that is it! This Cookie is the key for CVE-2021–26855.
By using the correct schema, we can send unobstructed requests to any backend server of our choosing.

Now, with the ssrf at our disposal, lets get to CVE-2021-27065 to perform remote code execution (RCE):

From the various log files distributed, and by previous research, we know to focus the efforts on the ResetOAB feature in the admin center.

The ResetOAB functionality essentially allows us to manipulate virtual directories, of which a byproduct is that a config file is written to disk, and we can control where it is written to.
Not only that, but there is no validation on the file type, so nothing is blocking us from writing a .aspx file!

But wait, we have to be able to control the data written to the config file if we want to weaponize it.

Luckily, aside from reseting the virtual directory, we can also edit the default parameters, and make sure that when these fields are written to the file, they contain our code. And again, there is no input validation on the Internal and External Parameters, allowing us to write malicious Javascript into the .aspx file

As you can imagine, to perform these requests, the request must contain some sort of authentication, and in our case it is the msExchEcpCanary, and ASP.net session ID.

We are not going to go into details about how to acquire these at this stage as the vulnerability still exists in the wild, and in large numbers. When this is disclosed we will update with the details.

The result of this research recreates the attack in the Cymulate platform for you to validate your protections.

If You Run Premises-Based Microsoft Exchange – Assume You Are Breached.

If your organization uses any version of premises-based Microsoft Exchange, you should assume you are currently breached. Only Exchange Online is not affected.

Know that patching will not clean up an already compromised system.
Most security control vendors from AV/EDR/SOCaaS were unable block the breach and subsequent expand attack.
At the minimum, the expand portion of the attack included the implementation of backdoor web shells and subsequent exchange accounts created.
Remediation should include full account review of all accounts and password reset of all administrative accounts in Active Directory and in Exchange.
Note that both Microsoft and other researchers have detected other nation-state and criminal actors taking advantage of the exploits after the announcement on Tuesday, March 2^nd.
Validate remediation efforts by running a PoC of the attack from the Cymulate platform

What Can You Do to Defend Your Organization?

Carefully testing and monitoring your network for unusual activity is also critical, as the first sign of incursion may be when the threat actors try to remove data from your environment.

Other Resources

US DHS (Department of Homeland Security) CISA (Cybersecurity and Infrastructure Security Agency): Mitigate Microsoft Exchange Server Vulnerabilities:
https://us-cert.cisa.gov/ncas/alerts/aa21-062a
Microsoft HAFNIUM hunting against indicators of compromise (IoCs):
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
https://www.crn.com/news/security/microsoft-exchange-vulnerability-much-larger-than-company-is-saying-huntress

Schedule a demo to test the effectiveness of your security controls.

Cymulate empowers organizations to fortify their defenses through continuous assessment and validation of their security posture. With a focus on threat simulation, comprehensive security assessments, and a commitment to innovation, Cymulate equips organizations with the tools and insights needed to stay ahead of cyber threats.

More about Author

Table of Contents

Full PoC and The Research Behind The Attack If You Run Premises-Based Microsoft Exchange – Assume You Are Breached. What Can You Do to Defend Your Organization?

Cymulate Exposure Validation makes advanced security testing fast and easy. When it comes to building custom attack chains, it's all right in front of you in one place.

Mike Humbert, Cybersecurity Engineer

DARLING INGREDIENTS INC.

Learn More

Featured Resources

View More Resources

Solution Brief

Accelerate Detection Engineering

Automate detection engineering with AI-powered attack simulations to close gaps, cut false positives, and stop threats faster.