…are wreaking havoc right now. Are your Exchange servers being hit?

Here is a quick SmartLog query using the Hafnium overview from SentinelOne’s blog: or or or or or or or or or or or or

Just cut and paste the above addresses into SmartLog to see if you may have been compromised.

At the very least if you have an Exchange server I would expect to see one of these IPs to have probed your server on port 443.

Maybe you have 443 to open on your Exchange server to support OWA (still)? Having OWA behind Check Point’s Mobile Access Blade would have protected you.

Also, if your Check Point IPS signatures were updating automatically you were protected on March 1st.

Hafnium SmartLog Query

One thought on “Hafnium SmartLog Query

  • April 6, 2021 at 1:03 am

    Good stuff. Thx for the logging query.

Leave a Reply

Your email address will not be published. Required fields are marked *

seventeen − fourteen =