Re: Exchange /OWA vulnerability actively exploited

Royce Williams

An option to buy time: you can limit OWA to just Alaskan networks (will still impact distribute workforce, but can at least lessen collateral damage):

But I would consider even that to be temporary. The threat actor is like quite busy managing all of their newly compromised hosts. Making them come from Alaskan IP space to target you next makes you only slightly less low-hanging fruit. :D

Royce Williams
Tech Solvency

On Fri, Mar 5, 2021 at 2:45 PM Royce Williams via <> wrote:
The news coverage for this has been vigorous, but just in case:

The general consensus is that if you still have public-facing OWA, and it was not patched (or blocked from public access) as soon as the Microsoft announcement came out, you should basically assume that it's compromised at this point.

The article contains links to the CISA announcement and guidance, which have IOCs.

Join to automatically receive all group messages.