The Emergency Mitigation service adds protections to Exchange Server in the wake of recent zero-day compromises. Credit: DSGpro / Getty Images If you are still running and patching an on-premises Exchange server, you need to opt into a major protection that Microsoft is rolling out to its customers. Microsoft has rolled out a new feature called Microsoft Exchange Emergency Mitigation (EM) service. It is included in the September 2021 Cumulative Update and is not a replacement for patching. Rather, it provides better protections for on-premises Exchange servers.The recent zero-day attacks on Exchange showed that many firms weren’t up to date in patching and Microsoft realized that many were behind in updating. Microsoft quickly released an Exchange On-premises Mitigation Tool (EOMT) along with automatic mitigation included in Microsoft Defender Antivirus and System Center endpoint protection. As they noted, “The EOMT is a one-click tool that applies interim mitigations to an Exchange server to proactively minimize vulnerable attack surfaces until the admin can install an available SU. This was our recommended approach for Exchange deployments with internet access and for those who needed to quickly mitigate their risk while they prepared to update their servers.”What is the Microsoft Exchange Emergency Mitigation service?Microsoft realized that more needed to be done and included EM in the September updates. As they note, “EM runs as a Windows service on Exchange Server. It is a built-in version of the EOMT that works with the cloud-based Office Config Service (OCS) to provide protection against security threats that have known mitigations. The OCS is the same online configuration service used by Office clients.” Once an hour, Emergency Mitigation checks Office Config Service by checking into a URL. When Microsoft learns about a security threat, it creates a mitigation for the issue and the server then implements mitigation settings. The mitigation package is a signed XML file to ensure that the file is not tampered with. EM is not intended as a replacement for a security update but gives you the ability to test and deploy the update. This service will be automatically installed on all mailbox servers once you install the September cumulative update. It won’t be installed on Edge Transport servers. You can disable the service in the administration settings. Emergency Mitigation prerequisitesYou will need Internet Information Services (IIS) URL Rewrite module v2 installed on the Exchange server to use EM. If the module is not installed on the server, you’ll receive an error message upon deployment of the cumulative update. You’ll also need the IIS URL rewrite module once the September cumulative update is installed regardless of whether you use Emergency Mitigation.If you are running Windows Server 2012 R2 and have Exchange 2016 installed on that platform, you’ll need to install KB2999226 (Update for Universal C Runtime) before installing the cumulative update. Expect to see that prerequisite notification during the install. Of course, you’ll need internet access for the EM service to function. How Emergency Mitigation worksShould an active attack occur, this module can perform multiple optional actions to protect the network. It can implement an IIS rewrite rule to filter malicious HTTPS requests, disable an Exchange service, and disable a virtual directory or app pool. It’s reminiscent of the actions the Justice Department took in April to proactively patch servers that were taken over in attacks in January and February of 2021. The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).Microsoft will send a sample mitigation called PING to the Emergency Mitigation Service to ensure that it is connecting to and communicating properly with the Office Config Service.Once the cumulative update is installed, you can use the Get-Mitigations.ps1PowerShell script to review what mitigations are available to you as well as what options you have. You can temporarily or permanently disable a mitigation if you suspect any interaction. If you temporarily disable the mitigation, you can reapply later or upon restarting EM. The actions of the Emergency Mitigation service are logged into the Windows Event Log. New Events 1005 and 1006 with a source name of MSExchange Mitigation Service are logged in when a successful action occurs. If the EM service can’t reach the internet and the associated Office Config Service, event 1008 will be logged. Look for unique logging under the V15LoggingMitigationService folder under the Exchange Server installation directory.During the last Black Hat security conference, Orange Tsai, a security researcher who specializes in Exchange vulnerabilities, noted that there is no bug bounty program for Exchange on-premises. Many in the security industry were dismayed at the lack of attention on-premises servers have had recently. It’s a refreshing change to see Microsoft giving on-premises machines similar protection that cloud services are getting.Anyone who still has an on-premises Exchange server should take advantage of the resources and tools that Microsoft is providing to better protect those of you in the crosshairs of attackers. Exchange zero days have been used in ransomware attacks on various businesses, and Microsoft has responded to this risk to on-premises customers. I urge you to test and install this protection on your mail servers. Attackers are using every tool in their arsenal to go after the various entrances into our network including using Autodiscover protocols to harvest passwords to zero days in Exchange. Installing this module will ensure that your server will be protected with the latest guidance and protections even without installing a rushed security update. Related content brandpost Sponsored by Palo Alto Networks The growing dichotomy of AI-powered code in cloud-native security Unveiling the duality: Harnessing AI's potential while safeguarding cloud-native security By Amol Mathur, SVP & GM of Prisma Cloud, Palo Alto Networks Jun 03, 2024 5 mins Artificial Intelligence Security news After Snowflake, Hugging Face reports security breach Hugging Face has advised its community members to refresh access tokens or switch to safer ones to protect against the attack. By Shweta Sharma Jun 03, 2024 4 mins Authentication Hacking feature What are non-human identities and why do they matter? When digital systems need access and permissions they require credentials just like human beings. These non-human identities allow many components of complex systems to work together but present significant security issues. By Chris Hughes Jun 03, 2024 8 mins Access Control Identity and Access Management Network Security news Microsoft: The brand attackers love to imitate Cybercriminals often hide attack attempts behind well-known brand names with the intent to trick targeted users into making the fatal click. Microsoft is their favorite — by far. By Martin Bayer Jun 03, 2024 3 mins Phishing Email Security Cybercrime PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe