ProtonBlog(new window)
An illustration of Proton Mail's multiple layers of security

The Microsoft Exchange hack might be one of the worst breaches of all time – We need a new approach to email security

Share this page

Over the past two weeks, Microsoft clients using its Exchange servers, which includes tens of thousands of government agencies and private corporations around the world, have fallen victim to a series of hacks that have compromised their data. The breach started with a group of state-sponsored hackers attributed to China known as Hafnium, but more and more actors jumped into the fray after some of the exploits became public. 

This is a serious breach that has exposed private user data as well as corporate and state secrets, materially damaging many small and medium-sized businesses and undermining trust in many government agencies. It is also a prime example of how the current approach to user privacy and security is failing.

A timeline of the Microsoft Exchange Server hack

March 2: Microsoft announced that hackers, dubbed Hafnium, were using multiple 0-day exploits (i.e., previously undiscovered vulnerabilities) to remotely access its Exchange servers and steal data from its corporate and government users.

Essentially, these hackers took three steps and exploited four separate vulnerabilities:

  1. Hafnium gained access to Microsoft Exchange servers by taking advantage of stolen passwords and a previously undiscovered server-side request vulnerability to make itself appear to the Exchange server as someone who should have access.
  2. The attackers then created a web shell, or a backdoor that allows browser-based access to the server to anyone that knows the web shell’s URL. 
  3. Hafnium then used the web shells to execute malicious code on the server remotely. Once in, the attackers could steal data, escalate privileges, or hold data ransom.  

Microsoft responded by releasing emergency security patches for the affected systems (Exchange Server 2019-2013) and sent out a free patch to cover Exchange Server 2010, suggesting these vulnerabilities may have existed for the past 10 years. 

Two weeks after Microsoft’s initial announcement, experts estimated there were still tens of thousands of Microsoft Exchange Servers that needed to be patched. Furthermore, state-sponsored hackers had already begun exploiting sensitive systems well before Microsoft became aware of the problem. 

March 11: Microsoft detected that some of the servers compromised by Hafnium were being infected by a new type of ransomware known as DearCry. 

Multiple attackers began exploiting the same vulnerabilities as Hafnium to gain access to Microsoft Exchange Servers. They committed various attacks, including DearCry, which makes copies of target files, encrypts those copies, and then deletes the originals.

March 11 to March 15: The daily attacks attempted on Microsoft Exchange Servers increased 10 times, from roughly 700 to over 7200(new window)

Experts estimate that almost 60,000 organizations(new window) (and maybe even more) could have been affected, ranging from small and medium-sized businesses up to the European Banking Authority. The majority of the DearCry attacks have focused on government and military organizations, followed by manufacturing and financial services, while the most attacked country has been the US, followed by Germany and the UK.

Security is hard

Almost every major technology company has had significant security incidents in the past. Microsoft itself also has a long history of security vulnerabilities in its products. The lesson to take away from these attacks’ success is not that these organizations are negligent or incompetent, but that security is hard. 

In this incident, Microsoft was not attacked directly, but rather, hackers went after tens of thousands of organizations that run Microsoft Exchange software for their email. Regardless of whether it is Google, Microsoft, or their customers, cybersecurity is a form of asymmetric warfare. 

Defenders must protect all possible entry points, while attackers only need to find a single weakness to get in.

A successful defense therefore needs to have multiple layers of security so that if one layer is breached, successive layers can keep attackers away from sensitive business data. When it comes to email, Proton Mail achieves this by utilizing zero-access encryption(new window).

Whenever possible, Proton Mail encrypts an organization’s email on the client side. Even emails received from outside of an organization are encrypted before they are saved. The encryption is done in a way that prevents even Proton Mail itself from having the means to independently decrypt user data. This adds an extra layer of security because breaching a Proton Mail server does not necessarily expose user emails. Unlike in the case of Microsoft Exchange (or Gmail or any other regular email service that does not utilize zero-access encryption), a hacker would still need to find a way to decrypt the messages. 

You can’t expose data you don’t have access to

Proton Mail’s security model has prepared for a breach by investing in a technology that applies an extra layer of encryption to all messages on our servers.

Our zero-access encryption means we cannot access or read any user’s messages. Hackers cannot steal from us what we do not have access to. So even if Proton Mail ever were to be breached, a successful data exfiltration attack would be far harder to execute. 

So why don’t all companies protect their users’ data with end-to-end or zero-access encryption? For one, strong encryption is difficult to do. The technology that underpins Proton Mail required years of research and work and was developed by scientists from CERN under the scrutiny of the open source community and independent security audits. 

Then, there is also the issue of the business model a company uses. Corporations like Google make money by exploiting user data to sell ads. This is incompatible with technologies that prevent them from accessing user data, even if they are more secure. 

This is not the first major security breach, nor will it be the last. And there is no reason to single out Microsoft. In fact, such an incident would have been exponentially worse if it had happened to Google or Facebook due to the significantly larger amounts of sensitive personal information stored by those companies. Protecting against risks like this is one of the reasons that millions of individuals and small and medium-sized businesses have switched to Proton Mail. 

Encrypt all the data you can

Proton relies on user subscriptions for revenue, not leveraging our users’ data or selling access to advertisers. This makes us relatively unique among tech companies in that we do not need to access or abuse our users’ data for our business model to work. It’s not just better for privacy, it is better for security. We believe that this approach leads to a better internet that serves the interest of all people. 

Our vision is to make privacy the default on the internet and beyond Proton Mail(new window) with strong encryption. We’re also extending this approach to new services as well, applying similar protection to your schedule and files with the recently released beta versions of Proton Calendar(new window) and Proton Drive(new window).

Sign up now and take a step toward an internet that puts protecting your data first.


Feel free to share your feedback and questions with us via our official social media channels on Twitter(new window) and Reddit(new window).

Protect your privacy with Proton
Create a free account

Share this page

Proton Team(new window)

We are scientists, engineers, and specialists from around the world drawn together by a shared vision of protecting freedom and privacy online. Proton was born out of a desire to build an internet that puts people before profits, and we're working to create a world where everyone is in control of their digital lives.

Related articles

Can you password-protect a folder in Google Drive?
Protecting a folder with a password is a simple yet effective way of securing files. You may wonder whether you can password-protect a folder in Google Drive. We explain what access controls Google Drive offers and what you can do to improve your sec
Proton Pass now supports passkeys on all devices and plans
We’re excited to announce that Proton Pass supports passkeys for everyone, allowing you to manage and use passkeys across all devices seamlessly. Passkeys are an easy and secure alternative to traditional passwords that can help prevent phishing atta
what is a passkey?
Passkeys are a new way to secure your online accounts using cryptographic keys instead of passwords. They offer a high level of convenience and security, and are a real game-changer in the way we access and secure sites. What is a passkey, though, an
Apple’s marketing team has built a powerful association between the iPhone and privacy. The company’s ad campaigns claim that “what happens on your iPhone, stays on your iPhone.” And, “Privacy. That’s iPhone.” But Apple’s lawyers are telling a diffe
A cyberattack on national public employment service France Travail has exposed the personal data of as many as 43 million people.  The latest breach is the second major cybersecurity attack to happen in France in the past month, raising concerns abo
If I share a folder in Google Drive, can anybody see my other folders
Google Drive makes it easy to share files and folders, but you may have wondered at some point whether the people you’ve shared a folder with can see your other folders. We answer this question below and also share some tips for truly secure link sha
In 2014, Proton Mail was introduced as a web app, revolutionizing how we think about email privacy. Today, we’re excited to broaden the horizons of secure communication by launching the Proton Mail desktop app. Anyone can now use the new Proton Mail