Microsoft has released an interim mitigation tool to automatically mitigate one vulnerability in the attack chain associated with the zero-day Exchange Server exploits the vendor disclosed earlier this month.
The Exchange On-premises Mitigation Tool, or EOMT, aims to protect and mitigate against CVE-2021-26855 on Exchange servers prior to patching and was designed for those who are either unfamiliar with the updating process or have not applied the update yet.
The tool has been tested on the 2013, 2016 and 2019 versions of Exchange Server and works by using a URL Rewrite configuration to mitigate against known attacks using CVE-2021-26855.
It then scans the Exchange Server with Microsoft Safety Scanner and attempts to reverse changes made by identified threats.
While not intended to be a replacement for Exchange security updates, the tool, which was published on GitHub, is considered by Microsoft to be the “fastest and easiest way to mitigate the highest risks” for internet connected, on-premises Exchange Server before patches are applied.
The new tool came out of the vendor working with customers through its customer support teams, third-party hosters and partner network, with Microsoft coming to the conclusion there was a need for an automated solution for both current and out-of-support versions of on-premises Exchange Server.
This comes more than a week after Microsoft released an updated script that scanned Exchange log files for indicators of compromise (IOCs). The vendor recommended that the new tool be used over the previous script, as it is based on the latest threat intelligence.
Microsoft flagged the attack chain on 2 March, when it released security updates for Exchange Server to protect users against vulnerabilities in on-premises versions of the software, with the China-based state-sponsored actor Hafnium flagged as the primary group behind exploits targeting the flaws at the time.