After the vulnerability discovered on Microsoft exchange servers CVE-2021-26855 globally there was a huge hit for the organisations and reports shows that more than 30000 organisation has been effected.
Initially Microsoft released the securty patch for the latest Exchagne CUs. customers has to upgrade their exchange servers to the latest CU in order to apply the patch and secure their environment.
Later Microsoft released patches to other CU versions as well where customers was in trouble in upgrading the CU with client update and various other concerns.
Latestly Microsoft has released a Once-Click Mitigation Tool to help customers who dont have an IT team to handle the patching. This has been tested on Exchange 2013, 2016 and 2019 servers.
We recommend that all customers who have not yet applied the on-premises Exchange security update:
- Download this tool.
- Run it on your Exchange servers immediately.
- Then, follow the more detailed guidance here to ensure that your on-premises Exchange is protected.
- If you are already using Microsoft Safety Scanner, it is still live and we recommend keeping this running as it can be used to help with additional mitigations.
Once run, the Run EOMT.ps1 tool will perform three operations:
> Mitigate against current known attacks using CVE-2021-26855 using a URL Rewrite configuration.
> Scan the Exchange Server using the Microsoft Safety Scanner.
> Attempt to reverse any changes made by identified threats.
Before running the tool, you should understand:
- The Exchange On-premises Mitigation Tool is effective against the attacks we have seen so far, but is not guaranteed to mitigate all possible future attack techniques. This tool should only be used as a temporary mitigation until your Exchange servers can be fully updated as outlined in our previous guidance.
- We recommend this script over the previous ExchangeMitigations.ps1 script as it tuned based on the latest threat intelligence. If you have already started with the other script, it is fine to switch to this one.
- This is a recommended approach for Exchange deployments with Internet access and for those who want to attempt automated remediation.
- Thus far, we have not observed any impact to Exchange Server functionality when these mitigation methods are deployed.