Guidance for partners on critical Exchange Server security updates - Microsoft AI Cloud Partner Program

Guidance for partners on critical Exchange Server security updates

On Tuesday, March 2, 2021, Microsoft released security updates for multiple on–premises Microsoft Exchange Server zero-day vulnerabilities that are being exploited by a nation-state affiliated group that we are calling Hafnium. The vulnerabilities affect Microsoft Exchange Server. Exchange Online is not affected.   

The versions affected are:  

  • Microsoft Exchange Server 2013   
  • Microsoft Exchange Server 2016   
  • Microsoft Exchange Server 2019  
  • Microsoft Exchange Server 2010 is being updated for Defense in Depth purposes. 

To minimize or avoid impacts of this situation, Microsoft highly recommends that you take immediate action to apply the updates for any on-premises Exchange deployments you have or are managing for a customer or advise your customer of the steps they need to take. The priority being servers which are accessible from the Internet (for example, servers publishing Outlook on the web/OWA and ECP). 

Further information and guidance   

Please ensure you keep reading the Microsoft Security Response Center and Exchange Team blogs for the latest information. 

Not related to known attacks 


  • Tracey Pretorius
    Senior Director, Global Security Research Strategy

    Tracey leads Microsoft worldwide security researcher enablement strategy efforts to ensure our customers benefit from world-class security and AI solutions. She is passionate about helping customers and partners navigate an ever-evolving cybersecurity landscape and leverage Microsoft technology to effectively protect against and respond to cybercrime. Collaboration with security experts and partners across industries is critical to driving cybersecurity advancements. Tracey is involved in a number of groups, including co-founding and chairing the Microsoft Women in Security (MWiS) group, engagement in the Executive Women’s Forum (EWF) for Information Security, Risk Management & Privacy, an executive sponsor of partner KPMG’s i-4 Forum for Information Security & Risk professionals and on their CISO global member advisory board, an advisory board member at Strategic Cyber Ventures, and is also on the board of directors of the Choroideremia Research Foundation.