As I write this on March 14 the exploit has been public news for 12 days. The FBI comments that thousands of Exchange servers are being infected every hour. Patches from Microsoft have been released to assist and many of the antivirus packages recognize Hafnium and the associated webshells.

Microsoft has several scripts posted on GitHub to help diagnose the infection. Microsoft GitHub Hafnium scripts

Use the MSERT (Microsoft Safety Scanner) to detect and remove the infection. This may require multiple passes; and it will take hours to complete the scan. MSERT Download

Make sure the server has all OS updates and Exchange updates. This is the link to the Exchange updates.

Once the infection is removed continue to scan frequently to ensure the malware doesn’t return.


Have a nice day!