Storm-1175 hits in 24 hours — how to protect your hybrid M365 stack from Medusa
Microsoft Threat Intelligence reports that Storm-1175 deploys Medusa ransomware within a single day of initial access. Here is what we check first at HaggeBurger.
Microsoft Threat Intelligence reported this week that financially motivated actor Storm-1175 is hitting web-facing Microsoft services and dropping Medusa ransomware within 24 hours of the first compromise. The primary targets are Exchange Server, SimpleHelp, CrushFTP and ConnectWise ScreenConnect — exactly the systems small and mid-sized companies tend to keep around after a half-finished cloud migration.
This is not a slow-burn APT. From compromised Exchange server to encrypted domain in under a day is the norm. Victimology so far clusters in healthcare, education and professional services across Australia, the UK and the US — the same customer profile we see across Swedish SMBs.
What it is
Storm-1175 runs automated scanners looking for publicly reachable vulnerable services. When they find an unpatched Exchange Server — often a CVE-2023-21529 hole or something older — they go living-off-the-land with PowerShell, PsExec and Impacket. To actually land Medusa they normally do two more things: add Defender Antivirus exclusions so the payload can drop, and create a domain account for lateral movement.
That second step is the quiet signal. A fresh AV exclusion nobody can account for, paired with a new service account in AD in the last 24 hours — that is Storm-1175 sitting inside your estate for a few hours already.
Why it hits Swedish SMBs
If you still run Exchange Server on-premises or in hybrid, you are a primary target. We see this at Swedish customers every week: the migration is 90% done, but the last on-prem server is still standing "for now" because a printer or an old integration needs SMTP relay. That server is often internet-facing through OWA or ECP.
Most SMB customers on Business Premium have Defender XDR automated attack disruption available. Few have turned it on. This is exactly the scenario the feature was built for.
What you should do now
Map your external attack surface today. Anything answering 443 from the internet that is Microsoft-related needs to be on a list — Exchange OWA, ECP, on-prem SharePoint, ADFS. Shodan and Censys get you a long way as a first pass.
Verify the April 2026 cumulative update for Exchange is installed on every hybrid server. Not "we updated recently" — exact date and build number. Storm-1175 hits holes you already patched in the main tenant but missed on the forgotten mail-relay box.
Review Defender Antivirus exclusions added in the last 90 days. Every exclusion needs an owner and a ticket. If nobody remembers why C:\Scripts\* is excluded — remove it, wait for the phone call that never comes, learn something.
Turn on Defender XDR automated attack disruption if you have the license. It takes ten minutes and pays for itself the first time an intrusion chain gets broken automatically.
How HaggeBurger helps
We have packaged an Anti-Medusa readiness check — a half day where we go through your external Microsoft attack surface, patch status on hybrid components and Defender exclusions. For customers still running Exchange Server we deliver the migration in our Migration Accelerator (2-4 weeks, fixed price).
Want us to take a look at your environment? Get in touch and we will book a working session this week.