Microsoft updates its mitigation advice for Exchange Server zero-day vulnerabilities

Microsoft logo on mobile

Since Microsoft acknowledged the existence of two actively exploited zero-day vulnerabilities in Exchange Server, security experts were quick to point out that the company was providing bad advice in response.

The URL blocking recommended by Microsoft was found to be sadly lacking, and hackers could easily bypass it. Now Microsoft has provided updated mitigation advice, as well as providing automated protection options.

See also:

Since its initial post on the Microsoft Security Response Center blog, Microsoft has updated its advice several times, but now the most recent update seems to be the most complete solution.

The new instructions for manual mitigation are now as follows:

  1. Open IIS Manager. 
  2. Select Default Web Site.
  3. In the Feature View, click URL Rewrite.
  4. In the Actions pane on the right-hand side, click Add Rule(s)… 
  5. Select Request Blocking and click OK.
  6. Add the string .*autodiscover\.json.*Powershell.*
  7. Select Regular Expression under Using.
  8. Select Abort Request under How to block and then click OK.
  9. Expand the rule and select the rule with the pattern: .*autodiscover\.json.*Powershell.* and click Edit under Conditions
  10. Change the Condition input from {URL} to {UrlDecode:{REQUEST_URI}} and then click OK. 

Microsoft also shares details of two other options:

Option 1: For customers who have the Exchange Emergency Mitigation Service (EEMS) enabled, Microsoft released the URL Rewrite mitigation for Exchange Server 2016 and Exchange Server 2019. The mitigation is enabled automatically and is updated to include the URL Rewrite rule improvements. Please see this blog post for more information on this service and how to check active mitigations.

Option 2: Microsoft created the EOMTv2 script for the URL Rewrite mitigation steps and updated it to include the URL Rewrite rule improvements. EOMTv2 script will auto-update on Internet connected machines and the updated version will show as The script should be

Image credit: rafapress / depositphotos

Comments are closed.

© 1998-2023 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.