Numerous IT administrators around the world had to change their agendas at short notice or work overtime at the beginning of March. All Exchange servers had to be updated to close a critical security gap. Even the American TV channel CNN reported on it. But what had actually happened?

Critical vulnerabilities were already exploited by hackers

Microsoft discovered several targeted zero-day attacks on on-premises versions of Microsoft Exchange Server. Cloud versions of Microsoft's email service were not affected. According to Heise, "over a hundred thousand Exchange servers worldwide have already been compromised. And more are being found every hour." The vulnerabilities can lead to remote code execution (RCE) and are therefore particularly critical. A hacker can send malicious cookies such as "X-AnonResource-Backend" and " X-BEResource" to the server to trigger the attack. The hacker group HAFNIUM, which is said to have connections with China, seems to be behind the large-scale attacks. Those who want to check whether they have already been attacked can find more information on the Microsoft Security Blog.

Airlock: Secure by Default

The sensational incident shows how valuable web application firewalls like Airlock Gateway can be. A WAF with a secure by default setting can buy administrators valuable time because it makes exploiting vulnerabilities much less likely. This is especially true for unknown vulnerabilities. A combination of WAF functions ensures that the attack surface is significantly reduced.

For popular applications such as Microsoft Exchange, standard WAF templates facilitate effective protection. Airlock Gateway offers such templates for Exchange and SharePoint, among others. Cookie protection is enabled both in these templates and in Airlock Gateway's standard security policy. This protects the application from manipulated cookies, such as those used in the "ProxyLogon" attack scenario.

How Cookie Protection works

The cookies of the application are stored in the web application firewall in a cookie store (per user) and never reach the browser by default. This Cookie Protection shields the users of a web application from unauthorized access to cookie content. And it also protects the server from modification of cookie content. Therefore, an attacker cannot manipulate cookies or send unknown cookies to the backend. The HAFNIUM hack revealed several vulnerabilities, one of which is exploited using cookie injection. Airlock Gateway prevents this type of attack with the Cookie Store.


Anyone who protects their Microsoft Mail Server with Airlock Gateway can sleep much more soundly. The prerequisite, of course, is that the WAF is configured securely — preferably by default. The Exchange patches urgently recommended by Microsoft are thus still necessary, but no longer quite so urgent.

Blognews directly to your inbox

The Airlock Newsletter informs you continuously about new blog articles.

Subscribe blognews

Comments 0

Write comment

Comments closed

More interesting articles


Ergon establishes branch office in Frankfurt


Cyber Security Study


Study: Application and API Security in the Container Environment 2022

Information for you

-Our whitepapers-

Visit us at it-sa!

From 8 to 10 October you can visit us at the it-sa, the largest IT security event in Europe. Learn the latest news about application security, API security, access management and cloud security. In our congress on 9 October you can learn in many further lectures how you should turn your IT security from a spoilsport to an accelerator of your digitization projects.

Register now and get a free ticket

Study Application and API Security 2022

In a recent study in cooperation with CIO, CSO and COMPUTERWOCHE, Ergon Airlock looked at application and API security in the container environment.

Request study

Zero Trust is a journey

The digital transformation of the world continues to progress, and it is profoundly affecting private life and job profiles in a manner that was hard to imagine just a few years ago.

This whitepaper covers the effects of continuous digitization and its implications.

Request free of charge

Toward DevSecOps

In this whitepaper, you will learn the most important insights into how you can successfully and efficiently implement DevSecOps, which security components are required for this, and what benefits a microgateway architecture brings.

Request free of charge

Airlock 2FA - Strong Authentication. Easy.

The two-factor authentication in the area of IT security offers double the security.

Find out more about strong authentication and the possibilities that Airlock offers in our whitepaper.

Request free of charge

Further whitepapers

We provide whitepapers on these and other topics free of charge:

  • successful IAM projects
  • Compliance
  • Data protection (GDPR)
  • Introduction of PSD2
  • PCI DSS requirements
Request free of charge