New Exchange Mitigation Service Released By Microsoft

In its most recent Cumulative Update (CU) Microsoft added a new feature, the Microsoft Exchange Emergency Mitigation (EM) service. 

New Exchange Mitigation Service Released By Microsoft

In its most recent Cumulative Update (CU) Microsoft added a new feature, the Microsoft Exchange Emergency Mitigation (EM) service.

After implementing the September 2021 CU on Exchange Server 2016 or Exchange Server 2019, it will be automatically installed on servers that have the Mailbox role. The update can detect Exchange Servers that are more susceptible to one or more threats and will provide provisional mitigation until administrators install security updates. Automatically deployed Emergency Mitigation service will be temporary until the security update can be loaded and the issues will be resolved.

”This new service is not a replacement for installing Exchange Server Security Updates (SUs), but it is the fastest and easiest way to mitigate the highest risks to Internet-connected, on-premises Exchange servers prior to installing applicable SUs”, the Microsoft Team stated. According to Microsoft, the Microsoft Exchange Emergency Mitigation feature is a built-in version of the Exchange On-premises Mitigation Tool (EOMT).

Microsoft Exchange Emergency Mitigation

How Will the Emergency Mitigation Tool Work?

EOMT works with the cloud-based Office Config Service (OCS) by checking for mitigations and providing protection against threats. ”If Microsoft learns about a security threat and we create a mitigation, and that mitigation will be directly sent to the Exchange server, which would automatically implement the pre-configured settings,” the Microsoft Exchange Server team wrote in an online community post.

The Emergency Mitigation component is based on Microsoft’s Exchange On-premises Mitigation Tool. Microsoft’s Exchange On-premises Tool helps users and organizations better mitigate potential threats and attacks. The Emergency Mitigation runs as a Windows service on the Exchange Server. The Emergency Mitigation service is used to verify the Office Config Service for available mitigations. Afterward, the EM service will download an XML file.

If there is a security threat and it is discovered by Microsoft, a mitigation will be created for the issue. Once that mitigation has been created, that mitigation can be sent directly to the Exchange server. After the mitigation has been created and sent to the Exchange server, any settings that have already been configured will be automatically implemented.

The mitigation package is an XML file that contains the settings that are needed to mitigate known security threats. Once the mitigation has been received by the Exchange server, the Emergency Mitigation service will validate the signature to verify that the XML was not interfered with. After the validation process has been completed, the mitigations will be applied.

However, Emergency Mitigation was kept optional for those who wanted Microsoft to create and apply vulnerability mitigations to their Exchange servers automatically. Businesses and organizations that make the decision to not use Emergency Mitigation can disable the feature and continue to use Microsoft’s Exchange On-premises Mitigation Tool to manually mitigate threats.

Microsoft Exchange has become one of the main targets for hackers, and the attack route generally involves a vulnerability that a business or organization has not recently patched. This new tool by Microsoft is aimed at providing rapid protection after a variety of recent attacks that used zero-day exploits against on-site versions of Microsoft Exchange servers.

The Exchange On-premises Mitigation Tool applies a PowerShell script to configure Exchange Server with mitigations against threats. However, the Microsoft Exchange Emergency Mitigation service automates some of this process and will continue to apply mitigations when they are released by Microsoft.

Cyberattacks are on the Rise

Cyberattacks are not only happening more frequently, but they are becoming more advanced and sophisticated. Therefore, it is vital that on-premises Exchange servers are not only secure but up to date. The Antimalware Scan Interface (AMSI) was introduced as a new feature as part of the June 2021 CUs; this feature allows applications and services to integrate with any antimalware product on a machine.

With the September 2021 Cumulative Updates (CU) for Exchange Server, Microsoft takes things up a notch by introducing the Emergency Mitigation service as a new feature. The Microsoft Exchange Emergency Mitigation tool will automatically apply mitigations that are administered by Microsoft for active security issues. The goal is to result in less of the process requiring manual attention, which will hopefully help prevent situations that can be avoided.

The Emergency Mitigation tool is being implemented after the concerns surrounding Microsoft Exchange. There have been several news reports detailing how state-sponsored cybercriminals have extracted data from Microsoft Exchange to be used for secret AI projects. Microsoft Exchange has been at the center of attention of many cyberattacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) addressed the issues surrounding Microsoft Exchange in the first half of 2021.

Many security experts have applauded Microsoft for its level of thinking and its response to the ever-growing cybersecurity threats. Security experts believed this was a great move by Microsoft when it came to addressing the challenges that can arise when deploying mitigations. Most of the challenges are complex configuration changes that will generally need to be applied manually. Unfortunately, this can sometimes lead to some mitigations not being applied correctly or being left incomplete when a step is accidentally skipped or missed, resulting in the systems still being vulnerable to attacks.

Microsoft Exchange Server is the top email and messaging platform across the globe, and it has become the foundation of the communications infrastructure for many businesses and organizations. Microsoft Exchange and its extensions are on a mission to no longer be viewed as easy targets for cybercriminals. It will be interesting to see whether these efforts by Microsoft Exchange will prevent the same type of attacks that were experienced in 2020 and the first half of 2021.

HRCT applies best practices and we use our Microsoft expertise to implement effective strategies and solutions for Microsoft platforms. We can also help you move your Exchange Server to the cloud or implement other technologies when you need to deploy an on-premise solution. There are numerous components and features that can enhance the functionality of Microsoft Exchange and other Microsoft applications.

HRCT can help you with any Microsoft networking, Microsoft security, or Microsoft support. Do you have questions or concerns about your Microsoft applications and platforms? Contact us today to schedule your consultation.