← Back to ExposureMark
Case Study

The Server Nobody Was Watching

They had the tools. They had the team. What they didn't have was visibility into the one asset that mattered most.

IndustryMulti-Industry
EnvironmentHybrid: VMware, Windows, M365
AssessmentExternal Exposure Assessment
ScopeOutside-in only
Time to compromiseUnder 2 hours
Entry pointOne forgotten asset
ImpactFull environment exposure

The Situation

A multi-entity organization with operations across multiple business verticals was mid-migration to Microsoft 365. Most mailboxes had already moved. Infrastructure was managed. Security tooling was in place.

But one business unit delayed the migration. For over a year, a legacy Microsoft Exchange server remained online. Externally reachable, unpatched and outside the scope of every prior assessment. No alerts. No ownership. No visibility from the outside.

The most dangerous asset in the environment wasn't their primary system. It was the one they forgot to turn off.

What We Found

ExposureMark's external assessment revealed a set of externally observable exposures forming a direct path from the public internet to the organization's critical infrastructure.

Legacy Exchange Server, Externally Exposed
An on-premises Exchange server, retained by one business unit that delayed M365 migration, was reachable from the internet with unpatched critical vulnerabilities. Excluded from all prior assessments.
Critical
Administrative Interfaces Externally Reachable
Management interfaces were accessible from outside the perimeter without sufficient access controls, indicating a path to privileged access.
Critical
No Observable Segmentation from Entry Point
From the externally exposed server, no segmentation controls were observable from the initial access point. This indicates a flat network topology between production, management and backup systems.
Critical
Shared Access Patterns Across Infrastructure
Access patterns suggested reuse of administrative access across multiple systems, meaning a single compromise could cascade across the environment.
High
Backup Systems Reachable from Same Network Path
Backup infrastructure appeared accessible from the same network segment as production. No isolation observable from the attack path.
High

This assessment reflects only externally observable exposure, not internal security posture.

The Attack Path

By connecting the findings, we mapped the most probable path an attacker would follow. It required no sophisticated tooling.

1
Initial Access. Externally exposed Exchange server, unpatched, exploitable via known CVEs.
2
Credential Access. Administrative credentials obtainable from the compromised system. Access patterns suggesting reuse across infrastructure.
3
Lateral Movement. No segmentation controls observable from entry point. Single credential provides access across systems.
4
Full Environment Exposure. Broad access to infrastructure, applications and data from a single external entry point.

Estimated time from initial access to full environment exposure: under 2 hours. No advanced tooling required.

In practical terms: ransomware, stolen data or quiet long-term access. Whichever the attacker chose to do first.

What's reachable in your environment right now?

Book a scoping call →

What Happened Next

The critical finding closed first. Within days of report delivery, the organization removed the legacy Exchange server from external visibility. This eliminated the under-2-hour path to full environment exposure.

Over the following six months, the organization began implementing multi-factor authentication and working through the prioritized remediation sequence outlined in the report. At the six-month recheck, the most severe exposure remained closed. Structural improvements (MFA rollout, segmentation, access control hardening) were underway but not yet complete.

At the six-month recheck, the organization commissioned a new external assessment. To see what's reachable today, measure the drift since the original engagement and confirm the remediation in progress is holding.

External exposure remediation is a sequence, not a single fix. The value of the engagement wasn't the report. It was identifying which single fix closed the worst path first. And the recheck cadence that kept progress visible enough to act on again.

Assessment Scope
External exposure only
Outside-in perspective
Focused on what is reachable and exploitable from the internet
No internal access required or used

What's in your blind spot?

A single-domain assessment takes 72 hours and starts at $1,500. No internal access required. Fixed scope, fixed price.

Book a scoping call →
ExposureMark Inc © 2026 · New York Metro