If you are still running and patching an on-premises Exchange server, you need to opt into a major protection that Microsoft is rolling out to its customers.
Microsoft has rolled out a new feature called Microsoft Exchange Emergency Mitigation (EM) service. It is included in the September 2021 Cumulative Update and is not a replacement for patching. Rather, it provides better protections for on-premises Exchange servers.
The recent zero-day attacks on Exchange showed that many firms weren’t up to date in patching and Microsoft realised that many were behind in updating. Microsoft quickly released an Exchange On-premises Mitigation Tool (EOMT) along with automatic mitigation included in Microsoft Defender Antivirus and System Centre endpoint protection.
As they noted, “The EOMT is a one-click tool that applies interim mitigations to an Exchange server to proactively minimise vulnerable attack surfaces until the admin can install an available SU. This was our recommended approach for Exchange deployments with internet access and for those who needed to quickly mitigate their risk while they prepared to update their servers.”
What is the Microsoft Exchange Emergency Mitigation service?
Microsoft realised that more needed to be done and included EM in the September updates. As they note, “EM runs as a Windows service on Exchange Server. It is a built-in version of the EOMT that works with the cloud-based Office Config Service (OCS) to provide protection against security threats that have known mitigations. The OCS is the same online configuration service used by Office clients.”
Once an hour, Emergency Mitigation checks Office Config Service by checking into a URL. When Microsoft learns about a security threat, it creates a mitigation for the issue and the server then implements mitigation settings.
The mitigation package is a signed XML file to ensure that the file is not tampered with. EM is not intended as a replacement for a security update but gives you the ability to test and deploy the update. This service will be automatically installed on all mailbox servers once you install the September cumulative update. It won’t be installed on Edge Transport servers. You can disable the service in the administration settings.
Emergency Mitigation prerequisites
You will need Internet Information Services (IIS) URL Rewrite module v2 installed on the Exchange server to use EM. If the module is not installed on the server, you’ll receive an error message upon deployment of the cumulative update. You’ll also need the IIS URL rewrite module once the September cumulative update is installed regardless of whether you use Emergency Mitigation.
If you are running Windows Server 2012 R2 and have Exchange 2016 installed on that platform, you’ll need to install KB2999226 (Update for Universal C Runtime) before installing the cumulative update. Expect to see that prerequisite notification during the install. Of course, you’ll need internet access for the EM service to function.
How Emergency Mitigation works
Should an active attack occur, this module can perform multiple optional actions to protect the network. It can implement an IIS rewrite rule to filter malicious HTTPS requests, disable an Exchange service, and disable a virtual directory or app pool.
It’s reminiscent of the actions the Justice Department took in April to proactively patch servers that were taken over in attacks in January and February of 2021. The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).
Microsoft will send a sample mitigation called PING to the Emergency Mitigation Service to ensure that it is connecting to and communicating properly with the Office Config Service.
Once the cumulative update is installed, you can use the Get-Mitigations.ps1PowerShell script to review what mitigations are available to you as well as what options you have. You can temporarily or permanently disable a mitigation if you suspect any interaction. If you temporarily disable the mitigation, you can reapply later or upon restarting EM.
The actions of the Emergency Mitigation service are logged into the Windows Event Log. New Events 1005 and 1006 with a source name of MSExchange Mitigation Service are logged in when a successful action occurs. If the EM service can’t reach the internet and the associated Office Config Service, event 1008 will be logged. Look for unique logging under the V15\Logging\MitigationService folder under the Exchange Server installation directory.
During the last Black Hat security conference, Orange Tsai, a security researcher who specialises in Exchange vulnerabilities, noted that there is no bug bounty program for Exchange on-premises.
Many in the security industry were dismayed at the lack of attention on-premises servers have had recently. It’s a refreshing change to see Microsoft giving on-premises machines similar protection that cloud services are getting.
Anyone who still has an on-premises Exchange server should take advantage of the resources and tools that Microsoft is providing to better protect those of you in the crosshairs of attackers. Exchange zero days have been used in ransomware attacks on various businesses, and Microsoft has responded to this risk to on-premises customers. I urge you to test and install this protection on your mail servers.
Attackers are using every tool in their arsenal to go after the various entrances into our network including using Autodiscover protocols to harvest passwords to zero days in Exchange. Installing this module will ensure that your server will be protected with the latest guidance and protections even without installing a rushed security update.