On March 2nd, zero-day vulnerabilities affecting Microsoft Exchange were publicly disclosed. These vulnerabilities are being actively exploited in the wild by HAFNIUM, a threat actor believed to be a nation state.
Sophos customers are protected from the exploitation of the new zero-day vulnerabilities affecting Microsoft Exchange.
Threats such as HAFNIUM are a great example of the peace of mind you get knowing your organization is backed by an elite team of threat hunters and response experts.
When the HAFNIUM news broke, the Sophos MTR team immediately began to hunt and investigate in customer environments to determine if there was any activity related to the attack. Additionally, they also looked to uncover any new artifacts or IoCs related to the attack that could provide further protection for all Sophos customers.
The 24/7 nature of Sophos MTR meant that not a single second was wasted before the team got to work, ensuring our customers were protected.
SophosLabs has also published detections related to the known activity and IOCs related to the Exchange vulnerability. This is in addition to previous protections already in place to detect post-exploit activity.
Concerned about HAFNIUM? Contact Sophos MTR today to ensure that any potential adversarial activity in your environment is identified and neutralized.
How to utilize Sophos Live Discover to query your machines and see if there are any suspect web shells related to Hafnium. (Thanks to Karl_Ackerman)
As it is a cxmail detection. I believe it’s a detection in the context of a mail client. I.e if you receive an email with a malicious attachment, try to launch it from say Outlook, you would get this type of alert. I guess it was a doc file with some sort of encoded macro or password protected? I don’t believe there is anything to do other than maybe deleting the email from your inbox. The attachment might exist on disk in a temp location and can be deleted from there as well.
Yeah looking at the examples https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/CXmail~EncDoc-B/detailed-analysis.aspx they are password protected which I guess is where the enc comes from.