China-based government hackers have exploited a bug in Microsoft’s email server software to target U.S. organizations, the company said Tuesday.

Microsoft said that a “highly skilled and sophisticated” state-sponsored group operating from China has been trying to steal information from a number of American targets, including universities, defense contractors, law firms and infectious-disease researchers.

Reston, Virginia-based cybersecurity firm Volexity, which Microsoft credits for helping to detect the intrusions, said its network security monitoring service began picking up on a suspiciously large data transfer in late January.

And things could get a lot worse.

“They’re just downloading email, literally going to town,” said Steven Adair, Volexity’s president, who said the targets have included “defense contractors, international aid and development organizations, the NGO think-tank community.”

Adair said he’s concerned that the hackers will accelerate their activity in the coming days before organizations are able to install Microsoft’s security upgrades.

“As bad as it is now, I think it’s about to get a lot worse,” he said. “This gives them a limited amount of opportunity to go and exploit something. The patch isn’t going to fix that if they left their backdoor behind.”

Microsoft said it has released security upgrades to fix the vulnerabilities to its Exchange Server software, which is used for work email and calendar services, mostly for larger organizations that have their own in-person email servers. It doesn’t affect personal email accounts or Microsoft’s cloud-based services.

The new attack comes two months after a massive cyberattack attributed to Russia-based hackers hit the US.

The company said the hacking group it calls Hafnium was able to trick Exchange servers into allowing it to gain access. The hackers then masqueraded as someone who should have access and created a way to control the server remotely so that they could steal data from an organization’s network.

Microsoft said the group is based in China but operates from leased virtual private servers in the U.S., helping it avoid detection.

The company declined to name any specific targets or say how many organizations were affected.

SolarWinds hack reached actual source code – in Microsoft’s own words

The attack

In a blog post, the company explained the attack:

“Volexity is seeing active in-the-wild exploitation of multiple Microsoft Exchange vulnerabilities used to steal e-mail and compromise networks. These attacks appear to have started as early as January 6, 2021. In January 2021, through its Network Security Monitoring service, Volexity detected anomalous activity from two of its customers’ Microsoft Exchange servers.

“Volexity identified a large amount of data being sent to IP addresses it believed were not tied to legitimate users. A closer inspection of the IIS logs from the Exchange servers revealed rather alarming results.

“The logs showed inbound POST requests to valid files associated with images, JavaScript, cascading style sheets, and fonts used by Outlook Web Access (OWA). It was initially suspected the servers might be backdoored and that webshells were being executed through a malicious HTTP module or ISAPI filter.”