ProxyLogon: Inside the Exchange Server Attack Chain That Triggered an FBI Court Order
CVE-2021-26855 and three chained Exchange Server bugs gave attackers unauthenticated remote code execution — and led to a compromise event so widespread the FBI obtained a court order to remove webshells itself.
Most major exploit chains stay in the realm of “organizations should patch faster.” CVE-2021-26855, the first link in the “ProxyLogon” chain against on-premises Microsoft Exchange Server, escalated to something rarer: a court-authorized FBI operation to remove malware from privately owned servers whose administrators hadn’t cleaned them up.
What the vulnerability does
On its own, CVE-2021-26855 is a server-side request forgery (SSRF) bug: an unauthenticated attacker could make Exchange send arbitrary HTTP requests and, critically, authenticate to the server as if the request came from Exchange itself. Chained with three additional Exchange vulnerabilities — CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 — that authentication bypass became a path to writing an arbitrary file to disk: a webshell, planted with no authentication required at any step.
The disclosure and immediate fallout
Microsoft disclosed the chain and shipped emergency patches on March 2, 2021, attributing initial, narrow exploitation to a threat group it named Hafnium, focused on espionage against specific organizations. That narrow window didn’t last. Within days, exploitation shifted from targeted intrusion to indiscriminate mass scanning: multiple opportunistic threat actors raced to plant webshells on every reachable, unpatched on-premises Exchange server before defenders could patch, expanding the victim count from a targeted set into tens of thousands of organizations worldwide.
Why the FBI got involved
By the time many organizations applied Microsoft’s patch, webshells had already been planted — and patching alone doesn’t remove a webshell already sitting on disk. A significant number of compromised, internet-facing Exchange servers went unremediated even after the patch was available, their owners apparently unaware they’d already been breached. In April 2021, the U.S. Department of Justice announced the FBI had obtained a court order authorizing agents to remotely access hundreds of vulnerable Exchange servers and remove the specific webshells left by the Hafnium campaign — without notifying the owners in advance, an extraordinary step reflecting the scale of unremediated compromise.
What administrators should do
CISA issued an emergency directive requiring federal agencies to patch or disconnect vulnerable on-premises Exchange servers within days, not weeks — a compressed timeline unusual even for CISA’s most urgent bulletins. The core guidance: patch immediately, and separately check for indicators of prior compromise (webshells, unusual mailbox exports) rather than assuming a clean patch means a clean server. Full technical detail on the four-CVE chain and detection guidance is in Microsoft’s security response and the NVD entry.
This article describes the attack chain’s impact and official detection/mitigation guidance only — it does not include exploit code or step-by-step attack instructions.
Found this useful? Share it.


