Our News/Articles/Opinions/Technotes from the world of HCL Digital Solutions

Exchange Hacks Six Weeks On – What’s Happening?

If you read this blog you’ll know I’ve written about the Exchange Hacks a few weeks back.

What’s interesting is the feedback we’ve got since. We are aware of many folks who were directly affected. We’ve heard through others of many more. Not too many people are posting flashing neon signs saying what happened to them publicly and probably understandably so.

We’ve heard through third parties of large high profile public bodies moving (or planning to move) from Exchange to Domino for mail. This is strictly a decision based on the fact they they value data security and have lost all faith that Exchange will ever be secure.

We have spoken to some of our customers here in Ireland who haven’t even heard about the hacks until they read our blog article. Which is bonkers.

What we’ve seen in some organisations (particularly in managed service environments), is that the IT admins on the ground aren’t communicating the scale of this (either willfully or through lack of oversight or a mixture between the two) to IT Management at the Business level. Then IT management are making the assumption that they’re covered because they’re patched until they get a ransom note and find loads of their data encrypted/stolen. I’m at the stage now where it’s less of a story of migrating to other platforms and more a story of making sure people are properly informed.

Given it’s probably one of the (if not the) biggest corporate hacks in history, it’s surprising it hasn’t got much more media coverage. In Ireland for example, it’s got virtually zero media coverage – it would be interesting to hear if it’s similar (or not) in other countries. I’m not saying it’s all being swept under the carpet but it’s definitely one of those things where the interests of those affected and those of Microsoft’s aren’t helped by any of the attacks being under too much public scrutiny. An example of the type of coverage would be this article by the BBC. We know the system and the vendor they’re talking about but it’s not even mentioned by name once. (I’m in no way questioning the integrity of the BBC is just part of a larger trend).

Realistically, if you read a story about an organisation getting hacked in the last two months or the next two months, you’ll have a fair idea of the root cause, regardless of whether a vendor is mentioned in the news cycle.

I think the important thing to know is that the wide scale exposure of Exchange hasn’t gone away. It’s getting more impactful if anything. I could write something every week since it’s happened about new high profile exposures. There’s been multiple themes of attacks (note that’s not single hacks, each are running into tens of thousands of attacks) on Exchange due to this:

That’s up to nine separate waves of attacks in six weeks.

There is a significant degree of community effort for everyone to be safe on this. The NSA have got involved in the States with Microsoft. Some organisations like Sophos have published some resources to their GitHub to help show up early indicators that you’ve been exposed. (though there is an irony there, as much of the ransomware is freely available on GitHub for anyone interested to have a go). There’s even a handy tool for checking your current status with OWA.

Microsoft have also released a mitigation tool again on GitHub. (No, not a migration tool, though the pragmatistic might argue a move to Domino or any secure platform is very prudent). This protects against the known vectors who have already exposed the vulnerability (it was last updated 9 days ago, I assume/hope they will continue to update it). Note that this is a significant step above patching and protects against the currently known randsomware attacks. Get this tool if you’re running Exchange. The other obvious conclusion one can make here is that Microsoft is acutely aware that these are not just another set of patches and that one needs a dedicated security team to manage ransomware attacks just for Exchange. Also there will continue to be new vectors that will expose organisations even if they’ve patched and even if they run this mitigation tool.

These are all positive reactions to an awful set of events. But it hasn’t actually really stopped the momentum. Realistically the message should really be to anyone on the Exchange platform, patch, patch, patch AND when you’ve patched, do a comprehensive security audit of your environment and continue to do so on an ongoing basis. There’s new attack types and exposures all the time, and you mightn’t know about it for weeks yet. Even Microsoft took 2 months to patch this latest hack. If you don’t patch and you’re in the US, the FBI might on your behalf. (yes, the FBI are identifying unpatched Exchange systems and patching them which just shows how terrible Exchange security is and also raises questions about law enforcement agencies accessing private systems without authorisation).

The reason I’ve written this article is I have been asked in the Domino community for updates. This is as much about getting the information out there that patching isn’t necessarily going to fix this problem, most organisations have already patched at this stage but may have already been infiltrated in the months beforehand and won’t know until they get the ransom note.

It’s grim. Stay safe.


  • Domino is so intrinsically secure, and Domino 12 is cutting edge on new security features.
  • HCL commitment to the strategy of Open Client access to mail for Domino (seamless access to mail for ANY client including Outlook).
  • And innovative and ongoing integration with third party products like Domino Online Meeting Integration (Integration with the Notes client calendar and 5 different online meeting platforms, including Microsoft Teams – seamlessly with no third party tools and no additional servers or infrastructure or cost).

The reasons for actively choosing Exchange don’t really stand up to any scrutiny especially if the security of your data is even a consideration.

Cormac McCarthy –Domino People Ltd

This image has an empty alt attribute; its file name is image.png

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>