Last week, Microsoft acknowledged that it was facing some issues with its Exchange servers revolving around a Server Side Request Forgery and a vulnerability that allows remote code execution via PowerShell. China state sponsored hacking groups are allegedly said to be behind the exploitation of these vulnerabilities.
Microsoft further highlighted Exchange Online was not affected, though there was a chance that mail servers running on outdated Exchange Servers were. It further listed a couple of ways to avoid these attacks, among them blocking remote access to Remote PowerShell. However, URL blocking as a means to bypass these attacks was termed as bad advice because hackers could still bypass it despite implementation.
As a result, Microsoft has taken to its Security Response Center post and has since made several updates in an attempt to mitigate and permanently resolve the issue. The most recent ones were made on October 5 and October 6 as highlighted below:
October 6, 2022 updates:
An updated version released for EOMTv2 to remove an extra space in the script that didn’t impact functionality.
October 5, 2022 updates:
Further improvement has been made to the URL Rewrite rule mitigation. Customers should review and use one of these options:
- Option 1: The mitigation for EEMS rule has been updated and the updates will be applied automatically.
- Option 2: The mitigation for EOMTv2 has been updated.
- Option 3: The instructions and image in step 10 are updated for a Condition input change.
Added under Mitigations section that Exchange Server customers should complete both recommended mitigations.
Perhaps with the above solutions, users can now completely resolve the Exchange Server issues they have been facing. Share your thoughts with us by dropping a comment below.