More trouble for Exchange Server as zero-day exploits attacked

Kip Kniskern

On premises Microsoft Exchange servers have taken a beating recently, and now there’s a new set of attacks for Exchange Server operators to worry about. Microsoft has acknowledged the issues in a post on the Security Response Center, identifying two vulnerabilities, one a Server Side Request Forgery, and another that allows remote code execution via PowerShell.

These vulnerabilities are apparently being currently exploited, with signs pointing to China state sponsored hacking groups, who are known to use some of the web shells used in the attacks.

Microsoft says that Exchange Online, the company’s hosted mail server solution, is not affected, but on premises mail servers running outdated Exchange Servers could be. The blog post lists instructions for mitigations, including blocking URL rewrite actions in a default IIS website, and blocking remote access to Remote PowerShell.

The company also lists some possible detection techniques using Microsoft Sentinel, Defender for Endpoint, and Defender Antivirus.