2020 and the first few months of 2021 have highlighted the vulnerability of Microsoft Exchange email servers, and the importance of securing Exchange with effective supplementary email protection.

As recently as March 2, 2021, Microsoft released emergency security updates to mitigate four security holes in Exchange Server versions 2013 through 2019 that multiple APT and cyber espionage units were actively exploiting to steal email communications and gain total, remote control over the systems of at least 30,000 organizations across the United States. This article will provide tips and advice for securing your Exchange server to protect critical data and confidential business information in this heightened digital threat environment.

Exchange Risk is Greater than Ever

The Exchange flaws that surfaced earlier this month are not the first indication of Exchange vulnerability, but rather the latest addition to the platform’s troubling security record. In February of 2020, Microsoft issued a patch for a critical security vulnerability impacting numerous versions of Exchange dating back to 2010, which could be exploited by malicious actors to hijack infected systems.


Just two months later, researchers revealed that threat actors had begun to actively exploit this flaw, which remained upatched by approximately 350,000 Exchange servers exposed to the Internet at the time. Since then, Microsoft has identified a significant uptick in malicious activity targeting Exchange servers. The majority of these attacks leverage advanced fileless techniques that exploit legitimate, trusted tools and programs to evade detection.

Trend in attacks targeting Exchange servers since April 2020 (Source: Microsoft)

Anatomy of an Exchange Attack

So how exactly do these advanced attacks work? What methods are malicious actors employing to compromise Exchange servers without users’ knowledge? The first step in defending against a threat is understanding the threat itself - so we’re about to break it down for you.

Once a cyber criminal gains access to a vulnerable Exchange server, he or she deploys malicious code into one of the web accessible paths on the server. This enables threat actors to steal data and perform other malicious actions to further compromise the target system.


At this point in the attack, the malicious hackers run exploratory commands and identify targets. They collect a list of all the Exchange Servers on the network, along with details about individual mailboxes, such as role assignments and permissions. The attackers even add a new account on the infected server to obtain administrative access. To remain undetected, cyber criminals will often disable Microsoft Defender Antivirus, as well as automatic updates that were previously enabled.

Steps in an Exchange Attack (Source: Microsoft)

Tips & Advice for Securing Exchange Email Servers

So how exactly do these advanced attacks work? What methods are malicious actors employing to compromise Exchange servers without users’ knowledge? The first step in defending against a threat is understanding the threat itself - so we’re about to break it down for you.

Once a cyber criminal gains access to a vulnerable Exchange server, he or she deploys malicious code into one of the web accessible paths on the server. This enables threat actors to steal data and perform other malicious actions to further compromise the target system.


At this point in the attack, the malicious hackers run exploratory commands and identify targets. They collect a list of all the Exchange Servers on the network, along with details about individual mailboxes, such as role assignments and permissions. The attackers even add a new account on the infected server to obtain administrative access. To remain undetected, cyber criminals will often disable Microsoft Defender Antivirus, as well as automatic updates that were previously enabled.

Here are some other tips for securing your Exchange server against emerging exploits:

  • Patch your system immediately and leave antivirus enabled on your server.
  • Pay attention to and investigate all alerts indicating suspicious activity on your server.
  • Restrict access to only those who truly need it and frequently review high-profile groups for suspicious activity.
  • Closely monitor service account-based applications. Become familiar with the normal usage patterns of these accounts and restrict log-on times to help anomalous behavior stand out.

Investing in full-managed supplementary protection can further enhance security in Exchange. The team of security experts you partner with should be able to assist you in configuring Exchange properly and securely and ensuring that the additional security defenses you deploy are working optimally to safeguard Exchange against vulnerabilities and attacks.

Have additional questions about securing your Exchange server? Want to learn about a supplementary email security solution designed to make Exchange safe for business? Get a Demo>

Latest Blog Articles

Must Read Blog Posts