Microsoft has indicated that they are working as quickly as possible to release patches to their Exchange servers and has urged on-premises Microsoft Exchange customers to add a blocking rule to Internet Information Services (IIS) Manager as a workaround temporary to mitigate possible threats.
In the absence of official patches, your organization should check your environments for signs of exploitation and then apply emergency mitigation steps.
Microsoft has indicated that they are working as quickly as possible to release patches to their Exchange servers and has urged on-premises Microsoft Exchange customers to add a blocking rule to Internet Information Services (IIS) Manager as a workaround temporary to mitigate possible threats.
In the absence of official patches, your organization should check your environments for signs of exploitation and then apply emergency mitigation steps.
Detect exploitation
GTSC recommended that organizations check if their Exchange servers have already been compromised by running this PowerShell command: Get-ChildItem -Recurse -Path
The cybersecurity firm has also developed a tool to search for signs of exploitation and released it on GitHub. Additionally, Microsoft provided guidance on using its own security tools, such as Microsoft Sentinel, Microsoft Defender for Endpoint, and Microsoft Defender Antivirus, to detect the exploit.
Mitigate vulnerabilities
Until Microsoft releases official patches, it recommended the following steps to mitigate the exploit on your on-premises Exchange servers:
- Add a blocking rule to “IIS Manager -> Default Website -> URL Rewriting -> Actions” to block known attack patterns. Exchange Server customers should review and choose only one of the three mitigation options below.
- Option 1: For customers who have Exchange Server Emergency Mitigation Service (EMS) enabled, Microsoft released URL Rewrite Mitigation for Exchange Server 2016 and Exchange Server 2019. Mitigation will be enabled automatically .
- Option 2: Microsoft created this script for URL rewriting mitigation steps.
- Option 3: Customers can follow these detailed steps on the Microsoft blog to add the blocking rule to break the current attack chains.
Microsoft stated that Exchange Online customers are not affected and no action is required. However, organizations using Exchange Online are likely to have hybrid Exchange environments, with a mix of on-premises and cloud systems, so you should follow the instructions above to secure your on-premises servers, if this applies to your environment