…are wreaking havoc right now. Are your Exchange servers being hit?
Here is a quick SmartLog query using the Hafnium overview from SentinelOne’s blog:
18.104.22.168 or 22.214.171.124 or 126.96.36.199 or 188.8.131.52 or 184.108.40.206 or 220.127.116.11 or 18.104.22.168 or 22.214.171.124 or 126.96.36.199 or 188.8.131.52 or 184.108.40.206 or 220.127.116.11 or 18.104.22.168
Just cut and paste the above addresses into SmartLog to see if you may have been compromised.
At the very least if you have an Exchange server I would expect to see one of these IPs to have probed your server on port 443.
Maybe you have 443 to open on your Exchange server to support OWA (still)? Having OWA behind Check Point’s Mobile Access Blade would have protected you.
Also, if your Check Point IPS signatures were updating automatically you were protected on March 1st.