Getty Images

Microsoft Shares One-Click Mitigation Tool for Exchange Server Flaws

Designed to support entities operating without an IT or security leader, Microsoft’s one-click, automated mitigation tool will automatically close the zero-day Exchange Server vulnerabilities.

Microsoft unveiled a mitigation tool for small entities and others operating without a designated IT or security team, which is designed to automatically mitigate the recently disclosed zero-day vulnerabilities in Exchange Servers, prior to employing the security update.

The Microsoft Exchange On-Premises Mitigation Tool has been tested in versions 2013, 2016, and 2019 deployments. The tech giant hopes the tool can support those struggling with applying the patch and updating software for the vulnerabilities disclosed earlier this month.

The four zero day vulnerabilities, which include a server-side request forgery flaw, can give an attacker the ability to send arbitrary HTTP requests and authenticate to the server, even without legitimate credentials.

The flaws are already being exploited in the wild, which has heightened since the initial disclosure. The latest reports show that at least 10 advanced persistent threat (APT) actors are actively targeting the flaws to gain access to victims’ network.

The attacker does not need special knowledge or access to exploit the targeted environment. They need only know that a server is running Exchange and the account from which they want to extract data. These exploits allow for a range of malicious activities, including the theft of Active Directories.

Microsoft previously released an indicators of compromise (IOC) tool for all entities, which was designed to scan for exploits stemming from Exchange. The tool was meant to be used ahead of applying the patch or alternative mitigations, as the tool will not expel the hacker from the network.

The latest tool is designed for appropriate entities as an interim mitigation tool for teams that have not yet applied the security update to the on-prem Exchange Servers. Once downloaded, the tool will automatically mitigate the flaw on any vulnerable Exchange environments.

"We realized that there was a need for a simple, easy to use, automated solution that would meet the needs of customers using both current and out-of-support versions of on-premises Exchange Server," Microsoft explained.

“This tool is not a replacement for the Exchange security update but is the fastest and easiest way to mitigate the highest risks to internet-connected, on-premises Exchange Servers prior to patching,” they added.

All entities that have yet to apply the update should download the tool and immediately run it on all on-prem servers. The tool uses a URL rewrite configuration to mitigate against current known exploits against the flaw.

The mitigation tool will also scan the relevant Exchange platforms to identify threats, then it will attempt to reverse any system changes made by identified threats. After it runs, administrators should review previous mitigation steps provided by the tech giant to ensure the protection of these vulnerable servers.

Microsoft warns that while the tool is effective against known threats, it’s not a guarantee for protection against attack techniques that may arise in the foreseeable future. The tool is meant to be a temporary fix for a highly critical issue that needs prompt attention across all enterprise environments.

“This is a recommended approach for Exchange deployments with Internet access and for those who want to attempt automated remediation,” researchers explained. “Thus far, we have not observed any impact to Exchange Server functionality when these mitigation methods are deployed.”

Microsoft is continuing to address all related issues and potential threats related to these flaws.

Next Steps

Dig Deeper on Cybersecurity strategies