Update 11/8/2022: We have now released November 2022 Security Updates for Exchange Server. Please install those (or newer) updates to address vulnerabilities mentioned in this post. Mitigations are n...
Updated Nov 08, 2022
Version 17.0
Blog Post
2 MIN READ
Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server
I suspect MSFT was trying to make the remediation more easy to implement by leaving out the step to select "Autodiscover" from the IIS tree given that the RegEx will match everything before "autodiscover.json" whether it be in the web root, or in the "/Autodiscover" folder/application.
HOWEVER, MSFT should really answer whether or not this exploit is only possible from "/Autodiscover" (which is how GTSC originally reported it) or if it's now expanded to "/" (anywhere in the Exchange Front End/Default Web Site).
Without this answer, the safe option seems to be to do the URL rewrite on "Default Web Site" not only because it's what Microsoft currently says, but because a rule at this level will also cover the "/Autodiscover" folder, given the nature of the RegEx being matched:
.*autodiscover\.json.*\@.*Powershell.*
The first two characters .* will match https://yourexchangeyurl/ and also https://yourexchangeurl/autodiscover up until it finds autodiscover.json...