We typically release our quarterly Cumulative Updates (CUs) for Exchange Server on the third Tuesday of a month. In June 2021, that would be June 15th. Today we want to let you know that the June CUs for Exchange Server will be released two weeks later, on June 29th instead (EDIT: now released, please see the announcement here). In addition to bug fixes and incorporating previous Security Updates (SUs) for Exchange Server, we are taking a little bit of extra time to finish adding a new security feature to Exchange Server.
Today's Security Landscape
Security is a top priority for Microsoft and our customers, especially as cyberattacks increase in frequency and level of sophistication. The cybersecurity landscape has fundamentally changed, as evidenced by large-scale, complex attacks, and signals that phishing and human-operated ransomware are on the rise. Microsoft is now actively tracking more than 40 nation-state actors and over 140 threat groups across 20 countries—a number that used to be a handful. More than ever, it is critical to keep your on-premises infrastructure secure and up-to-date, including all your Exchange servers. This is a continuous process in which you:
This past March, we released SUs for critical vulnerabilities in Exchange Server, and we actively worked through our customer support teams, third-party hosters, and our partner network to help customers secure their environments and respond to associated threats from the attacks occurring against on-premises Exchange Server. In addition to releasing the one-click Exchange On-Premises Mitigation Tool (EOMT) last March, we also released automatic mitigation for Exchange Server in Microsoft Defender Antivirus and System Center Endpoint Protection. As with EOMT, these were interim mitigations designed to help protect customers who needed extra time to install the available SU.
When the June CU is released on June 29th, only the March and June CUs will be supported for any future Exchange Server SUs. If you are not yet running the March CU, now is a great time to get current.
Introducing Exchange Server integration with AMSI
In response to the fast-changing threat landscape, in the June CUs for Exchange 2016 and Exchange 2019, we are introducing integration between Exchange Server and the Windows Antimalware Scan Interface (AMSI). AMSI exists in Windows Server 2016 and Windows Server 2019, and the new integration is available in Exchange 2016 and Exchange 2019 when running on either of those operating systems. For Exchange 2016, AMSI integration is available only when running on Windows Server 2016. It is not available for Exchange 2016 running on Windows Server 2012 or Windows Server 2012 R2.
AMSI integration in Exchange Server provides the ability for an AMSI-capable antivirus/antimalware solution to scan content in HTTP requests sent to Exchange Server and block a malicious request before it is handled by Exchange Server. The scan is performed in real-time by any AMSI-capable antivirus/antimalware solution that runs on the Exchange server as the server begins to process the request. This provides automatic mitigation and protection which compliments the existing antimalware protection in Exchange Server to make your Exchange servers more secure than ever.
The AMSI integration in Exchange Server works with any AMSI-capable anti-virus/antimalware solution. By default, Microsoft Defender Antivirus (MDAV), an AMSI-capable solution, is automatically enabled and installed on endpoints and devices that are running Windows 10 and Windows Server 2016 and later. If you haven’t installed an antivirus/antimalware application, Exchange Server AMSI integration will work with MDAV. If you install and enable another antivirus/antimalware app, MDAV will automatically turn off. And if that other app is AMSI-capable, the Exchange Server integration will work with that app. If you uninstall the other app, MDAV will automatically turn back on, and the Exchange Server integration will work with MDAV.
There are specific benefits when using MDAV on Exchange Server:
MDAV dynamically fetches signatures that match malicious content. If Microsoft learns about an exploit that can be blocked, a new MDAV signature can be deployed to block the exploit from affecting Exchange.
Leveraging existing technology to add signatures for malicious content;
Leveraging the expertise of Microsoft's malware research team for adding signatures;
Applying best practices that Defender already applies for adding other signatures.
We are working hard and are excited to deliver this new AMSI integration to you later this month on June 29th. Thank you for your patience!