SAN FRANCISCO: Microsoft has said a state-sponsored hacking group operating out of China is exploiting previously unknown security flaws in its Exchange email services to steal data from business users.

The company said the hacking group, which it has named "Hafnium", is a "highly skilled and sophisticated actor".

Hafnium has in the past targeted US-based companies including infectious disease researchers, law firms, universities, defence contractors, think tanks and NGOs.

In a blog post on Tuesday, Microsoft executive Tom Burt said the company had released updates to fix the security flaws, which apply to on-premises versions of the software rather than cloud-based versions, and urged customers to apply them.

"We know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems," he added. "Promptly applying today's patches is the best protection against this attack."