Skip to main content
close search
site logo
Dive Brief

Microsoft updates guidance to prevent future Exchange server attacks

The company had to revise some of its guidance involving the URL Rewrite rule, while organizations continue to wait for a patch.

Published Oct. 5, 2022
David Jones's headshot
Reporter
A lit Microsoft log seen above a group of people in shadow.
A signage of Microsoft is seen on March 13, 2020 in New York City. Jeenah Moon via Getty Images
This audio is auto-generated. Please let us know if you have feedback.

Dive Brief:

  • Microsoft on Tuesday updated guidance on the URL Rewrite rule, which was designed to help customers prevent future attacks related to two zero-day vulnerabilities found in Exchange Server. The vulnerabilities, confirmed last week by Microsoft, were first identified by Vietnam-based GTSC in August.
  • The URL rewrite rule guidance was a mitigation strategy that Microsoft suggested to help organizations block against known attack patterns for customers using Exchange server. However, researchers at GTSC as well as researcher Kevin Beaumont, pointed out flaws in the suggested mitigations that could allow an attacker to bypass the changes. 
  • “The original mitigations provided by Microsoft were unfortunately easy to maliciously subvert," Dray Agha, senior threatops analyst team lead at Huntress, said via email. “As Kevin noted, those who applied the original mitigations were still vulnerable due to this mitigation bypass."

Dive Insight:

Microsoft updated mitigation steps for customers after it confirmed disclosures by GTSC about attacks involving the installation of Chopper malware against organizations using on-premises Exchange server 2013, 2016 and 2019. 

Microsoft was aware of less than 10 organizations being impacted, but warned of a potential escalation of attacks. The company said the single threat actor was state-sponsored.

Microsoft on Tuesday released URL Rewrite mitigation for Exchange server 2016 and 2019 for customers who have the Exchange Emergency Mitigation Service enabled. Microsoft previously added the feature in a September 2021 update

To mitigate the vulnerabilities, customers can also run an EOMTv2 script that auto updates internet-connected machines that can be run on Exchange Server when EEMS is not enabled. 

It is also an option for customers to go through a series of 10 steps in IIS Manager, which allows a user to request blocking in the URL Rewrite window. Microsoft made changes in steps 6-10, which it highlighted in the instructions

Until a patch is released, researchers expect additional moves to either test the mitigation steps or get around them with ill intent.

“Unfortunately we are likely to see this become a game of cat and mouse, as adversaries and security researchers alike find new ways to bypass the mitigations from Microsoft,” Agha said.

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell