Skip to main content

HAFNIUM - Exchange 0-day exploits

This Playbook is part of the Rapid Breach Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This playbook includes the following tasks: Collect indicators to be used in your threat hunting process. Retrieve IOCs related to HAFNIUM and the exploited exchange 0-day vulnerabilities. Discover IOCs related to the attack. Query firewall logs to detect malicious network activity. Search endpoint logs for malicious hashes to detect compromised hosts. (Available from Cortex XSOAR 5.5.0). Block indicators Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. Read more about the attack on our Unit42 blog: Sources:


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Splunk Indicator Hunting
  • QRadar Indicator Hunting V2
  • Search Endpoints By Hash - Generic V2
  • Palo Alto Networks - Hunting And Threat Detection
  • QRadarFullSearch
  • Search Endpoint by CVE - Generic
  • Block Indicators - Generic v3


This playbook does not use any integrations.


  • Set
  • SearchIncidentsV2
  • http


  • linkIncidents
  • setIndicators
  • extractIndicators
  • splunk-search
  • expanse-get-issues

Playbook Inputs#

NameDescriptionDefault ValueRequired
BlockIndicatorsAutomaticallyWhether to automatically block indicators involved with HAFNIUM exploits.FalseOptional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

HAFNIUM - Exchange 0-day exploits