One of the prominent targets for hackers is Microsoft Exchange, and the attack vector typically involves a popular vulnerability which the organization hasn't recently patched. A new solution by Microsoft aims at providing urgent protection after several attacks over the last year that used zero-days against on-site versions of Microsoft Exchange servers.
Microsoft has implemented a new Exchange Server capability that automatically implements interim mitigations to protect on-site systems against incoming cyberattacks, against high-risk (and probably regularly exploited) security vulnerabilities, and allows administrators to deploy security upgrades.
This update comes following a series of zero-day vulnerabilities detected in Microsoft Exchange, which was used to infiltrate servers by state-supported hacker organizations with no patch or mitigation information accessible for administrators.
Built on the Microsoft Emergency Exchange Mitigation (EM), which was launched in March to limit the attack surface, exposes the ProxyLogon vulnerabilities, the new Exchange Server component, suitable for the Microsoft exchange Emergency Mitigation (EM) service. EM is operating on Exchange Mailbox servers as a Windows service.
After implementing the September 2021 (or later) CU on Exchange Server 2016 or Exchange Server 2019 it will be installed automatically on servers having the Mail Box role. It detects Exchange Servers susceptible to one or many known threats and provides provisional mitigation until security updates can be installed by administrators.
Automatically deployed EM service mitigation is temporary until the security update could be loaded that resolves the issue and does not supersede Exchange SUs.
"This new service is not a replacement for installing Exchange Server Security Updates (SUs), but it is the fastest and easiest way to mitigate the highest risks to Internet-connected, on-premises Exchange servers before installing applicable SUs," the Exchange Team explained.
EM is an EOMT variant created in an Exchange server that can download from and defend against high-risk issues with existing mitigation using the cloud-based Office Config Service (OCS). Admins may deactivate the EM service unless Microsoft would like to automatically implement attenuations to its Exchange servers. They may also manage applied mitigation strategies via PowerShell cmdlets or scripts that allow mitigations to be seen, reapplied, blocked, or removed.
"Our plan is to release mitigations only for the most severe security issues, such as issues that are being actively exploited in the wild," the Exchange Team added. "Because applying mitigations may reduce server functionality, we plan on releasing mitigations only when the highest impact or severity issues are found."