[TheRecord] Microsoft adds novel feature to Exchange servers to allow it to deploy emergency temporary fixes

Microsoft will roll out tomorrow a new security feature for its Exchange email servers, which have been at the center of several hacking campaigns over the past two years.

Called the Microsoft Exchange Emergency Mitigation (EM) service, the new feature works by automatically installing temporary mitigations that block active exploitation of security flaws until Microsoft is ready to release official patches.

The EM service will be enabled by default for all Exchange servers once they install the September 2021 Cumulative Updates (CUs) for Exchange servers, which are shipping out tomorrow, after Microsoft delayed their release last week to have more time to work on it.

Under the hood, the feature will work by connecting to the Office Config Service (OCS) and downloading mitigations (in the form of XML rules) from the following URL:


These mitigations contain three types of configuration changes:

IIS URL Rewrite rule mitigation. This is a rule that blocks specific patterns of malicious HTTP requests that can endanger an Exchange server.Exchange service mitigation. This disables a vulnerable service on an Exchange server.App Pool mitigation This disables a vulnerable app pool on an Exchange server.

Once Microsoft detects a new attack, it will push out temporary mitigations via EM to all Exchange servers around the world and begin working on a software patch.

“Since in the future mitigations may be released at any time, we chose to have the EM service check for mitigations hourly,” the Microsoft Exchange team said last week.

For Exchange servers that are installed in highly secured environments, Microsoft is also providing a way to disable the EM service and let administrators apply mitigations by hand or by using the Exchange On-premises Mitigation Tool (EOMT).

Instructions on disabling the EM service are available on this documentation page.

The EM service is one of the first-of-its-kind security features that can automatically deploy temporary fixes to a software app until a permanent fix is available.

Several security experts lauded Microsoft last week for its forward-thinking when it came to addressing the problem of deploying mitigations, most of which are complex configuration changes that typically need to be applied by hand. Furthermore, many are often applied incorrectly or are left incomplete when users accidentally skip or miss a step, leaving their systems still vulnerable to attacks.

This a Big Deal. A huge deal. The September CU for on-prem Exchange Server will install an Emergency Mitigations feature that, by default, will automatically apply mitigations released for the most dangerous Exchange vulns.

Bravo. Other vendors take note. https://t.co/3ShavhUwxi

— Brian in Pittsburgh (@arekfurt) September 25, 2021

The post Microsoft adds novel feature to Exchange servers to allow it to deploy emergency temporary fixes appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[SecurityWeek] Jamf to Acquire Wandera for $400 Million to Bring Zero Trust to Apple Ecosystem

All posts, Security Week

Acquisition will extend Jamf’s Zero Trust Network Access, threat defense and data policy enforcement for Apple devices read more Source: Read More (SecurityWeek RSS Feed)

Read More

[SANS ISC] Astaroth (Guildma) infection, (Wed, Feb 16th)

All posts, Sans-ISC

Introduction Today’s diary is a quick post of an Astaroth (Guildma) malware infection I generated early on Wednesday 2022-02-16 from a malicious email targeting a Brazil-based recipient on Tuesday 2022-02-15. Images from the infection Shown above: Screenshot from the email that kicked off the infection. Shown above:  Downloading a zip archive after clicking link in […]

Read More

[HackerNews] SharkBot — A New Android Trojan Stealing Banking and Cryptocurrency Accounts

All posts, HackerNews

Cybersecurity researchers on Monday took the wraps off a new Android trojan that takes advantage of accessibility features on the devices to siphon credentials from banking and cryptocurrency services in Italy, the U.K., and the U.S. Dubbed “SharkBot” by Cleafy, the malware is designed to strike a total of 27 targets — counting 22 unnamed […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.