Microsoft has announced that it will start throttling and blocking emails from Exchange servers that are not up to date with the latest security patches. The move is part of the company's efforts to protect customers from cyberattacks and prevent the spread of malware. Microsoft Exchange Server has been subject to two major cybersecurity scares this year.
Exchange Server is a popular email and calendaring solution for businesses that run on Microsoft's platform. It allows users to access their email, contacts, calendars, tasks, and more from any device and any location. Exchange Server can be deployed on-premises, in the cloud, or as a hybrid solution.
Microsoft now says it is implementing transport-based enforcement system (TES) in Exchange Online) This means the company will throttle and block emails that come from servers that have not been patched. If the server does not patch, the emails will eventually be blocked:
“To address this problem, we are enabling a transport-based enforcement system in Exchange Online that has three primary functions: reporting, throttling, and blocking. The system is designed to alert an admin about unsupported or unpatched Exchange servers in their on-premises environment that need remediation (upgrading or patching). The system also has throttling and blocking capabilities, so if a server is not remediated, mail flow from that server will be throttled (delayed) and eventually blocked.
“We don't want to delay or block legitimate email, but we do want to reduce the risk of malicious email entering Exchange Online by putting in place safeguards and standards for email entering our cloud service.”
How can customers avoid email blocking?
Microsoft said that customers can avoid email blocking by updating their Exchange servers to the latest version or migrating to Exchange Online, which is a cloud-based service that is part of Microsoft 365. The company also recommended that customers scan their systems for any signs of compromise and follow best practices for securing their email environment.
In January, Microsoft urged users to patch to the latest security versions of Microsoft Exchange Online to thwart a phishing campaign. Attackers were potentially exploiting an Exchange Server bug (CVE-2022-41080), which Microsoft fixed.
CVE-2022-41080 is an elevation of privilege flaw that was first found in November. A team at cybersecurity CrowdStrike found that attackers were able to combine this hack with another bug – CVE-2022-41082 – and create a remote code execution attack.
In February, we reported on a Cryptojacking campaign known as ProxyShellMiner that was exploiting vulnerable Exchange Servers. ProxyShellMiner is a cryptojacking campaign that leverages three vulnerabilities in Microsoft Exchange servers to gain remote code execution and install a Monero miner on the infected machines. Once the attackers have gained a foothold in the network, they can do anything from backdoor deployment to code execution.
Earlier this year, it emerged Microsoft is exploring bringing automatic updates to Exchange Server.
Tip of the day: The Windows Sandbox gives Windows 10/11 Pro and Enterprise users a safe space to run suspicious apps without risk. In our tutorial we show you how to enable the Windows Sandbox feature.