New Microsoft Exchange Service Automates Threat Mitigation

Critical security flaws on Microsoft Exchange Server software allowed hackers full access to user emails and passwords as well as administrative privileges on affected servers. 

New Microsoft Exchange Service Automates Threat Mitigation

Earlier this year, Microsoft detected a global wave of cyberattacks and data breaches that leveraged zero-day exploits against on-premises versions of Microsoft Exchange servers. In the following weeks, an estimated 30,000 organizations in the United States were attacked. The attackers capitalized on several critical vulnerabilities in Microsoft Exchange Server software.

Microsoft Exchange Server is an email inbox, calendar, and collaboration platform that runs on Windows Server operating systems. Thousands of organizations all over the world use this service. Critical security flaws on Microsoft Exchange Server software allowed hackers full access to user emails and passwords as well as administrative privileges on affected servers.

The attackers can also install web shell malware to gain ongoing access to affected servers even after they’ve been updated and are no longer vulnerable to the original exploits. On March 2, Microsoft issued updates to address key vulnerabilities on Microsoft Exchange Server. The company attributes these attacks to Hafnium, a state-sponsored threat actor operating from China.

Cybersecurity With Microsoft Exchange Server

Automated Protection

While patches to address critical vulnerabilities have been released, Exchange Server attacks continue to persist. The speed and uptake of issued security fixes is a huge stumbling block to Microsoft’s efforts to eliminate Exchange Server threats, a problem the company hopes to address with their latest update.

On September 28, Microsoft released a new Exchange Server update, which includes a new optional protection feature for Exchange servers called the Microsoft Exchange Emergency Mitigation service. This tool automatically applies temporary mitigations to Exchange servers to defend against high-risk security flaws, giving administrators more time to apply updates.

What Is Microsoft Exchange Emergency Mitigation Service?

In mid-March, Microsoft released the Exchange On-premises Mitigation Tool (EOMT) to help organizations lagging in applying issued security fixes to address active Exchange Server threats from Hafnium. However, EOMT has to be applied manually. The new tool automates this process and applies mitigations as soon as they are released.

The new Microsoft Exchange Emergency Mitigation service is particularly important for smaller businesses that don’t have dedicated IT or security teams. This tool provides a simple, easy-to-use solution to help small businesses secure their on-premises Exchange servers quickly in the event of an attack. Any organization that manages self-hosted Internet-facing Microsoft Exchange servers should consider implementing the Exchange Emergency Mitigation service.

Do I Still Need To Install Exchange Server Security Updates?

Yes, Exchange Server Security Updates (SUs) are required. According to Microsoft, this new service isn’t meant to replace Exchange Server Security Updates. Microsoft Exchange Emergency Mitigation service is only intended to help organizations protect high-risk on-premises Exchange servers against potential threats before installing the applicable Exchange Server security updates.

EM is not a permanent solution; it’s only a temporary fix until security updates can be applied. Therefore, every organization that uses Microsoft Exchange server should prioritize applying security Exchange Server security updates and fixes when available, whether the new Exchange Emergency Mitigation service is implemented or not.

How Emergency Mitigation (EM) Works

Aptly named Microsoft Exchange Emergency Mitigation (EM) service, the new Exchange Server component builds upon the Exchange On-premises Mitigation Tool (EOMT) released earlier this year. The tool runs as a Windows service on Exchange servers and will automatically install servers with the mailbox role.

EM works by detecting Exchange Servers susceptible to known threats and applying provisional mitigations until the IT security team can install the necessary security updates. The emergency mitigation tool relies on the cloud-based Office Config Service (OCS) to check for mitigations and provide protection against known threats.

When Microsoft becomes aware of a security threat, their team will create mitigation to address the said risk. The new Microsoft Exchange Emergency Mitigation tool will then send the mitigation package to the Exchange Server in the form of an XML file. The XML file holds settings required to remove known security threats.

Upon receiving the mitigation package, the Exchange Server will download the XML file. The EM service also validates the signature to ensure that the XML file is not compromised. After that, the new EM tool will apply the pre-configured security settings automatically.

EM Is an Optional Feature

Do you have to implement the new Emergency Mitigation (EM) service for Microsoft Exchange Servers? No. Microsoft Exchange Emergency Mitigation service is an optional feature that can be disabled. If you don’t want Microsoft automatically applying mitigations to your exchange servers, you can simply disable the EM service.

Organizations that don’t want to use this service can continue using the Exchange On-premises Mitigation Tool (EOMT) to neutralize Exchange Server threats manually. Admins can also customize EM to their company’s needs using PowerShell cmdlets and scripts. These tools give admins control to mitigations, allowing them to view, reapply, block, or remove mitigations.

Post-Exploit Threats

Cybersecurity continues to be an issue for organizations, governments, and individual users the world over. Compromised Exchange Servers are becoming a common attack vector for a wide range of cyberattacks and malware, including ransomware. According to Microsoft, attackers are leveraging Exchange server vulnerabilities to deploy ransomware on affected servers.

As a result, businesses and organizations need to take steps to ensure that their exchange servers are secure and up to date. By implementing the Microsoft Exchange Emergency Mitigation service, you can significantly reduce the risk of attacks on your on-premises Microsoft Exchange Server. This service will automatically apply mitigations that have been created by Microsoft for active security threats.

Wrapping Up

Microsoft Exchange Server is the cornerstone of communication infrastructure for many organizations around the world. Using this new tool, Microsoft seeks to make its email platform more secure. Microsoft Exchange Emergency Mitigation (EM) is based on EOMT and uses the cloud-based Office Config Service (OCS) to download and protect against high-risk vulnerabilities.

The new tool automates the threat mitigation process, making it easier for IT admins to prevent emergency situations with Exchange Servers. Emergency Mitigation helps businesses and organizations secure on-premises Exchange Servers against severe threats, such as vulnerabilities that are being actively exploited by threat actors.

Having a reliable IT partner with proven expertise in cybersecurity is crucial in a time of crisis. Initial.IT can help your organization effectively manage risks, avert threats, and deal with various emergencies such as ransomware. Our culture is built on a commitment to quality and responsiveness. Contact us today for more information.