The 2021 Microsoft Exchange attacks have affected almost every organization that had a Microsoft Exchange server online. Many of these organizations need to determine if their server was compromised, if any backdoors were uploaded, and if any post-compromise activity took place. To assist with this, TrustedSec is offering a limited Microsoft Exchange Incident Response analysis service to answer these questions.

TrustedSec consultants have already worked a number of incidents related to the 2021 Microsoft Exchange attacks. With this experience, our senior-level responders know the indicators to quickly determine the answers the questions critical to each organization.

The major activities TrustedSec performs during an investigation consist of the following:

Obtain Artifacts

Each Microsoft Exchange server investigation begins by working with the client to obtain the appropriate data and artifacts from each Microsoft Exchange server to analyze. This is performed by running the TrustedSec TSIR tool on the server which extracts forensic artifacts and logs from the server into an output directory. This directory is then uploaded to TrustedSec for analysis.

Investigate

TrustedSec Incident Response consultants analyze the uploaded data from the Exchange Server for indicators of compromise related to the Microsoft Exchange attacks. Through this analysis, TrustedSec attempts to answer the following questions:

• Was the server compromised through the Microsoft Exchange attacks?
• Were any backdoors uploaded to the system?
• Is there any evidence of known post-compromise activity on the systems?
• What actions need to be performed to mitigate any compromise?

No additional analysis will be performed outside that which is required to answer the questions above.

Reporting

TrustedSec provides a final status email which contains the findings from the questions above.