Microsoft has warned that unpatched Exchange email servers are an increasingly popular target among cyber criminals looking to gain access to sensitive credentials, compromise accounts and steal money from victims.

Security researchers report that there has been a significant uptick in malicious activity targeting exchange servers since April, with the majority of these attacks employing highly-evasive fileless techniques. This article will provide tips and advice for securing your exchange server against advanced threats and safeguarding critical data and confidential business information in this heightened digital threat environment.

Exchange Risk is Greater than Ever 

In February of this year, Microsoft issued a patch for a critical security vulnerability impacting numerous versions of the Exchange Server dating back to 2010, which could be exploited by malicious actors to hijack infected systems - often resulting in the compromise of sensitive data and halting productivity.

Then in April, researchers revealed that threat actors had begun to actively exploit this flaw, which remained upatched by approximately 350,000 Exchange servers exposed to the Internet at the time. Since then, Microsoft has noticed an alarming increase in malicious activity targeting Exchange servers. The majority of these attacks leverage advanced fileless techniques that exploit legitimate, trusted tools and programs to evade detection.

Trend in attacks targeting Exchange servers since April (Source: Microsoft)

Anatomy of an Exchange Attack

Now you’re probably wondering - how exactly do these emerging attacks targeting Exchange servers work? What methods do attackers employ to compromise servers without users’ knowledge? The first step in defending against a threat is understanding the threat itself - so we’re about to break it down for you.

Once a cyber criminal gains access to a vulnerable Exchange server, he or she deploys malicious code into one of the web accessible paths on the server. This enables threat actors to steal data and perform other malicious actions to further compromise the target system.

At this point in the attack, the malicious hackers run exploratory commands and identify targets. They collect a list of all the Exchange Servers on the network, along with details about individual mailboxes, such as role assignments and permissions. The attackers even add a new account on the infected server to obtain administrative access. To remain undetected, cyber criminals will often disable Microsoft Defender Antivirus, as well as automatic updates that were previously enabled.

Steps in an Exchange Attack (Source: Microsoft)

Tips & Advice for Securing Exchange Email Servers

Because of the emerging fileless techniques used in these exploits, implementing behavior-based methods of detection as part of a defense-in-depth approach to security is critical in fortifying Exchange servers. Administrators should deploy a threat-ready, multi-layered cloud email security solution that analyzes thousands of attributes - including behavior - of each email delivered in real-time, reliably blocking fileless attacks that go undetected by traditional security software. 

Exchange Online Protect (EOP) - the default protection provided by Microsoft - is alarmingly inadequate in combating advanced, modern threats, and requires critical additional layers of security properly configured and managed by a reputable provider in order to be effective in safeguarding users. According to the FBI, 30% of phishing attacks make it through existing systems and are opened by target users. Clearly, superior protection is needed for Microsoft Exchange.

Here are some other tips for securing your Exchange server against emerging exploits:

  • Patch your system immediately and leave antivirus enabled on your server.
  • Pay attention to and investigate all alerts indicating suspicious activity on your server.
  • Restrict access to only those who truly need it and frequently review high-profile groups for suspicious activity.
  • Closely monitor service account-based applications. Become familiar with the normal usage patterns of these accounts and restrict log-on times to help anomalous behavior stand out.

Have additional questions about securing your Exchange server? Leave a comment below and one of our security experts will respond to you shortly. We went to help you stay secure online in this time of increased digital risk.

Blog Articles