In light of the recent Microsoft Exchange Server Attack which puts on-premise versions of Microsoft Exchange Server at risk, we recommend following the below steps to verify that any Servers and Workstations are not compromised with the attached DSL Query Filter (Suggested on Discover/Explore Page) based on the IOCs published by Microsoft:

 

1.  Add Filter Bubble

2.  Click “Edit Query DSL” on top right

Graphical user interface, application

Description automatically generated

 

3.  Delete {} and paste in all content from attached json file.

 

Graphical user interface, text, application, email

Description automatically generated

 

4.  After performing the above steps (1-3), click save and name the “Search” in order to re-reference in the future.

A picture containing application

Description automatically generated



sha1sum: 31982366c7680ca6aebea6121bd0a3c49c4b16b7