Microsoft Exchange Server Zero-Day Vulnerabilities Exposed Early Due to Limited Targeted Attacks

Microsoft said it was working as quickly as possible to release fixes to its Exchange servers and urged on-premises Microsoft Exchange customers to add a blocking rule in Internet Information Services (IIS) Manager as a temporary workaround to mitigate the potential threats.

In the absence of official patches, your organization should check your environments for signs of exploitation and then apply emergency mitigations.

Microsoft said it was working as quickly as possible to release fixes to its Exchange servers and urged on-premises Microsoft Exchange customers to add a blocking rule in Internet Information Services (IIS) Manager as a temporary workaround to mitigate the potential threats.

In the absence of official patches, your organization should check your environments for signs of exploitation and then apply emergency mitigations.

Detect exploitation

GTSC has recommended that organizations check whether their Exchange servers have ever been compromised by running this PowerShell command: Get-ChildItem -Recurse -Path -Filter “*.log” | Select-String -Pattern ‘powershell.*Autodiscover.json.*@.*200

The cybersecurity firm has also developed a search tool for signs of exploitation and published it on GitHub. Additionally, Microsoft has provided guidance on using its own security tools, such as Microsoft Sentinel, Microsoft Defender for Endpoint, and Microsoft Defender Antivirus, to detect the exploit.

Mitigate vulnerabilities

Until Microsoft releases official patches, it has recommended the following steps to mitigate exploitation of your on-premises Exchange servers:

  • Add a blocking rule in “IIS Manager -> Default Web Site -> URL Rewrite -> Actions” to block known attack patterns. Exchange Server customers should review and choose only one of the following three mitigation options.
    • Option 1: For customers who have Exchange Server Emergency Mitigation Service (EMS) enabled, Microsoft has released URL Rewrite Mitigation for Exchange Server 2016 and Exchange Server 2019. The mitigation will be enabled automatically.
    • Option 2: Microsoft created this script for URL rewrite mitigation steps.
    • Option 3: Customers can follow these detailed steps on Microsoft’s blog to add the blocking rule to break the current attack chains.

Microsoft said Exchange Online customers are not affected and do not need to take any action. However, organizations using Exchange Online are likely to have hybrid Exchange environments, with a mix of on-premises and cloud systems, therefore you should follow the advice above to protect your on-premises servers, if applicable. to your environment.

Comments are closed.