Update 11/8/2022: We have now released November 2022 Security Updates for Exchange Server. Please install those (or newer) updates to address vulnerabilities mentioned in this post. Mitigations are no longer recommended.
We have gotten several questions from our customers related to recent reports of new zero-day vulnerabilities impacting Exchange Server.
The MSRC team has released a blog post on this subject, with more information and mitigations that you can apply to your Exchange servers right away. We will keep updating these posts as the situation develops and we continue working on this:
MSRC - Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server
Updates:
- 10/7 - Further improvement to the URL Rewrite rules on October 7. The EEMS service is receiving new rule automatically. EOMTv2 script has been updated (script auto-updates on Internet connected machines and the updated version is 22.10.07.2029).Updated manual URL Rewrite steps on the MSRC blog.
- 10/6 - Additional improvement to EOMTv2 rule (space was removed from a filter; the rule still worked but was changed for consistency sake). EOMTv2 version increased to 22.10.06.0840
- 10/5 - Further improvement to the URL Rewrite rules on October 5. The EEMS service is receiving new rule automatically. EOMTv2 script has been updated (script auto-updates on Internet connected machines and the updated version is 22.10.05.2304). Updated manual URL Rewrite steps on the MSRC blog.
- 10/4 - We have updated the URL Rewrite rules on October 4. The EEMS service is receiving new rule automatically. EOMTv2 script has been updated (script auto-updates on Internet connected machines and the updated version is 22.10.03.1829). We also updated the manual URL Rewrite steps on the MSRC blog.
- 10/2 - Addition to the Mitigations section: we strongly recommend Exchange Server customers disable remote PowerShell access for non-admin users in your organization. More details in the MSRC blog post.
- 9/30 - For customers who have the Exchange Emergency Mitigation Service (EEMS) enabled, Microsoft released the URL Rewrite mitigation for Exchange Server 2016 and Exchange Server 2019. The mitigation will be enabled automatically. Please see this blog post for more information on this service and how to check active mitigations.
- 9/30 - Microsoft Security Threat Intelligence team released a blog Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082
- 9/30 - We have now released a PowerShell script to help apply the mitigation to servers automatically.
The Exchange Server Team