Microsoft suffered a series of attacks after cybercriminals started exploiting unpatched ProxyShell vulnerabilities in Microsoft Exchange servers. Several state-sponsored attackers are still targeting organizations that have not addressed the flaws. In order to mitigate this ongoing security issue and protect Exchange Servers against cyberthreats, Microsoft has added a new feature – the Microsoft Exchange Emergency Mitigation (EM) service in its September 2021 Cumulative Update (CU). The technology giant stated that the new feature is the fastest and easiest way to mitigate the highest risks to connected, on-premises Exchange servers before installing applicable security updates (SUs).
“After the release of the March SUs, we learned that many of our customers weren’t ready to install them because they were not running a supported CU. Based on our customer engagements, we realized that there was a need for a simple, easy to use, automated solution that could help customers quickly protect their on-premises Exchange servers, especially those who did not have dedicated security or IT teams to apply critical updates,” Microsoft said in an advisory.
The latest feature comes after multiple threat actor groups exploited the zero-day bugs in the Microsoft Exchange Servers.
How the Emergency Mitigation Works
The emergency mitigation component is based on Microsoft’s Exchange On-premises Mitigation Tool (EOMT), released in March. EOMT helps users and organizations to mitigate potential cyberattacks exposed by the ProxyShell bugs.
As per the advisory, the EM runs as a Windows service on the exchange server and works with the cloud-based Office Config Service (OCS), to protect against security threats that have known mitigations. The EM service verifies the OCS for available mitigations every hour and then downloads a signed XML file containing the mitigation configuration settings.
“Since in the future mitigations may be released at any time, we chose to have an hourly EM service check for mitigations. If Microsoft learns about a security threat and we create a mitigation for the issue, that mitigation can be sent directly to the Exchange server, which would automatically implement the pre-configured settings. The mitigation package is a signed XML file that contains configuration settings for mitigating a known security threat. Once received by the Exchange server, the EM service validates the signature to verify that the XML was not tampered with and has the proper issuer and subject, and after successful validation applies the mitigations,” the advisory added.
However, Microsoft kept EM optional for users who want Microsoft to create and automatically apply vulnerability mitigations to their Exchange servers. Organizations or security admins, who don’t want to use EM, can disable the EM feature and continue to use the EOMT to mitigate threats manually.