Cyber-espionage group Hafnium has exploited Microsoft’s widely used email and calendar Exchange server, breaching more than 30,000 commercial and local government entities in the US.
Criminals took advantage of disclosed flaws in the Exchange platform, a report by KrebsOnSecurity said.
They also tried to remotely take control of email servers of hundreds of thousands of other organisations globally, it said.
Microsoft disclosed four vulnerabilities in its Exchange server in a blog last week.
The gaps let hackers have access to email accounts and install malicious codes on their servers.
The company accused Hafnium, which operates from China, of plotting attacks against Exchange users.
Microsoft issued emergency patches and called on customers to install them.
The company has said the attacks are limited only to business customers and do not affect individual users.
Lotem Finkelsteen, director of threat intelligence at American-Israeli software company Check Point, said the Microsoft attack “is relevant to all businesses using Outlook but not to individual consumers … it is a server issue that the cyber attackers exploited".
Tom Burt, Microsoft’s corporate vice president of customer security and trust, said Exchange was mainly used by business customers.
Mr Burt said there was "no evidence that Hafnium’s activities targeted individual consumers or that these exploits impact other Microsoft products".
Hafnium is a “highly skilled” and “sophisticated" group that steals information from various sectors, including medical researchers, law firms, education institutions, defence, think tanks and NGOs, Microsoft said.
“While Hafnium is based in China, it conducts its operations primarily from leased virtual private servers in the US,” it said.
Microsoft's UAE office referred The National to its blog and declined to comment further.
The US government is assessing the effect, a White House official said on Saturday.
"This is an active threat, still developing, and we urge network operators to take it very seriously," the official said.
China's Foreign Ministry said it “firmly opposes and combats cyber attacks and cyber theft in all forms”.
It said that accusing a particular nation is a “highly sensitive political issue”.
Vulnerabilities found in Exchange servers were “significant” and “could have far-reaching impacts”, said Jen Psaki, the White House press secretary.
“We are concerned that there are a large number of victims,” Ms Psaki said.
The increase in cyber threats has led to a surge in spending on cyber security, which is forecast to rise about 125 per cent to $363.05 billion by 2025 from 2019, research consultancy Mordor Intelligence said.
Industry experts said Exchange exploits were not limited to the US and could affect entities in other parts of the world.
The flaws are "quite severe even if we don't know the full scope of those attacks", Satnam Narang, staff research engineer at cyber-security company Tenable in Maryland, told The National.
“While Microsoft says that Hafnium primarily targets entities within the US, other researchers say they've seen these vulnerabilities being exploited by different threat actors targeting other regions,” Mr Narang said.
Cyber-security company FireEye has identified affected victims in the US including retailers, local governments, a university and an engineering company.
A South-East Asian government and a central Asian telecoms company were also hit.
“In addition to patching as soon as possible, we recommend organisations review their systems for evidence of exploitation that may have occurred prior to the deployment of the patches,” said Charles Carmakal, senior vice president and chief technology officer of FireEye.
Microsoft has said the recent wave of breaches are "in no way connected" to last year's SolarWinds attacks by Russian hackers, which compromised nine US federal agencies and almost 100 businesses.
"State-sponsored hacking groups are exploiting critical Exchange bugs that Microsoft has already patched last week," Avinash Advani, founder and chief executive of Dubai cyber-security company CyberKnight, told The National.
"The disclosure will attract other threat actors looking to compromise unpatched servers.”
