After a wave of major in-the-wild zero-day attacks against Exchange Server installations that occurred globally in January, savvy organizations scrambled to lock down vulnerable Microsoft email servers and remove web shells that were installed by attackers.

In early attacks observed by Microsoft, attackers were able to exploit a series of vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.