Posted on March 27, 2023 at 9:39 AM
Tech giant Microsoft has launched a new Exchange Online security feature. This feature will be used to automatically start throttling and block all the emails that have been sent from “persistently vulnerable Exchange servers.” The feature will automatically be deployed 90 days after the admins have been notified to secure them.
Microsoft launches an Exchange Online security feature
The Microsoft team noted that the Exchange servers operated on the premises or hybrid environments. These servers operated end-of-life software and have not been patched against any security vulnerabilities identified in the past. The end-of-life software includes the servers operating in 2007, 2020, and as late as 2013.
“Any Exchange server that has reached end of life (e.g., Exchange 2007, Exchange 2010, and soon, Exchange 2013) or remains unpatched for known vulnerabilities,” the team said.
However, the end-of-life Exchange servers are not the only ones affected by this vulnerability. For instance, the Exchange 2016 and Exchange 2019 servers are also vulnerable if they fail to implement security updates. These servers are considered to be persistently vulnerable to exploits if a patch has not been deployed.
According to Microsoft, the new Exchange Online “transport-based enforcement system” contains three distinct functions. The functions of this system include blocking, reporting, and throttling. These functions will guarantee that the clients can access top-notch services that will deliver the most value.
Launching this new system aims to ensure that the Exchange admins can detect unpatched and unsupported on-prem Exchange servers. These servers allow the platforms to upgrade their offerings and issue a patch before these platforms become security risks.
Nevertheless, the servers will also be in a position to throttle. The platform will also be able to block emails sent from Exchange servers that are yet to be remediated. This will be done before accessing the Exchange Online mailboxes.
The new enforcement system will target servers under the Exchange Server 2007. This can be done using OnPremises connectors that will send mail. The initiative will also support fine-tuning before the same is expanded to all the Exchange versions. This can be done regardless of how these versions connect to Exchange Online.
The team said that it used a progressive approach that has been designed to increase throttling gradually. The approach that has been used also introduces email blocking until all the emails sent from the vulnerable servers have been rejected.
The enforcement action has been carefully designed to escalate slowly. This can be done until the vulnerable Exchange servers have been remediated by removing the service or the end-of-life versions. A patch can also be introduced if the releases are still under support.
The Exchange Team also noted that the objective behind the platform was to ensure that customers could secure their environment. Customers can access the feature each time that they run Exchange.
The team also noted that the enforcement system had been designed to alert the admins about security vulnerabilities within their environment. The system also protects the Exchange Online recipients from potential malicious messages. These messages have been sent from the persistently vulnerable Exchange servers.
For some administrators, the move will guarantee that the emails sent from vulnerable servers within their environment to Exchange Online mailboxes will not be blocked automatically. Moreover, there is also a likelihood that another incentive will be a notable addition to the ongoing effort to ensure that the end-users are protected against any potential attacks.
Microsoft warns about on-prem Exchange servers
The announcement comes after a call to action that was sent in January. At the time, Microsoft urged that customers ensure their on-prem Exchange servers are up-to-date. The development came after applying updated Cumulative Updates to guarantee they will be ready whenever an emergency security update occurs.
Microsoft has also urged admins to apply the latest security patches on the Exchange servers when needed. This will be done after the issuance of out-of-band security updates that will address the ProxyLogon vulnerabilities that have been exploited in attacks that happened months before the official patch was released.
Recently, Microsoft released a patch for another Exchange RCE bug set, ProxyNotShell. The patch was implemented two months after the exploitation was first detected in the wild.
There is still a large number of Internet-exposed Exchange servers in existence. Thousands of these servers await to be secured against attacks that target them with ProxyLogon and ProxyShell exploits, two of the most exploited vulnerabilities of 2021.