author photo
By Clare O’Gara
Mon | Jun 29, 2020 | 5:15 AM PDT

Microsoft is warning customers to take some immediate steps to protect their Exchange servers.

After noticing a massive spike in attacks during April, Microsoft is urging organizations with Exchange email servers to shore up their defenses.

In a recent report from the Microsoft Defender ATP Research Team, the company touched on the April increase:

"Multiple Exchange-specific behavior-based detections picked up unusual activity. The telemetry showed attackers operating on on-premises Exchange servers using deployed web shells."

According to the team, Exchange email servers pose a specific risk when compromised, since they allow attackers to multitask with the same tools used by administrators.

"This is exacerbated by the fact that Exchange servers have traditionally lacked antivirus solutions, network protection, the latest security updates, and proper security configuration, often intentionally, due to the misguided notion that these protections interfere with normal Exchange functions.

Attackers know this, and they leverage this knowledge to gain a stable foothold on a target organization."

There are two main ways that cybercriminals can achieve this "stable foothold":

  1. Attackers launch social engineering or drive-by download attacks targeting endpoints, where they steal credentials and move laterally to other endpoints in a progressive dump-escalate-move method until they gain access to an Exchange server.
  2. Attackers exploit a remote code execution vulnerability (RCE) affecting the underlying Internet Information Service (IIS) component of a target Exchange server.

Microsoft is cautioning users to take action ASAP.

Five steps to limiting Exchange server compromise

Curious how to protect your network and organization against Exchange server compromise? Microsoft has these five recommendations:

  1. Apply the latest security updates
  2. Keep antivirus and other protections enabled
  3. Review sensitive roles and groups
  4. Restrict access
  5. Prioritize alerts