Exchange 2019

Exchange 2019

Microsoft Exchange Server Attacks Get White House Taskforce Response


As we reported yesterday, Microsoft Exchange Server is in the midst of an attack through an exploit first used by the HAFNIUM group. In response to the ongoing problem, President Joe Biden is now launching an emergency taskforce to manage the massive attack.

By using remote back access attacks against Microsoft Exchange Server, threat actors can access email accounts. 30,000 organizations have already been impacted by the vulnerability. All the critical vulnerabilities are found in Exchange Server 2019, 2016, and 2013. Only Exchange Online has escaped the flaw.

The vulnerabilities are as follows:

  • CVE-2021-26855: CVSS 9.1
  • CVE-2021-26857: CVSS 7.8
  • CVE-2021-26858: CVSS 7.8
  • CVE-2021-27065: CVSS 7.8

Following the Cybersecurity and Infrastructure Agency (CISA) issuing a warning on Saturday, the Biden administration is also getting involved. White House press secretary Jen Psaki says the attack is “a significant vulnerability that could have far-reaching impacts.”

“First and foremost, this is an active threat,” she said. “We are concerned that there are a large number of victims and are working with our partners to understand the scope of this.”


The messages from CISA, the White House, and Microsoft is clear; Microsoft Exchange Server users must update to issue patches Microsoft has already sent out. Failing an update, customers should scan their servers to ensure they have not been exploited.

For those in that bracket, Microsoft yesterday launched a tool to help see if their Exchange Server is compromised.

Specifically, an update for its free Exchange server Indicators of Compromise tool allows users to scan server logs for problems. Microsoft and security researchers say the best way to mitigate against the exploit is to ensure Exchange Server installations are up to date.

“These vulnerabilities are used as part of an attack chain,” Microsoft says. “The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.”

Tip of the day:

If your PC keeps connecting to the wrong WiFi network, you can set WiFi priority to avoid the need to manually select access points over and over again.

Source Winbuzzer

read more
Exchange 2019

Microsoft Exchange Online Users to Be Throttled When Reaching Upper Mail Limit


Microsoft says it is going to take a stricter position on the number of emails that Microsoft Exchange Online can accept. The company’s email hosting service, which underpins the Outlook experience, will start enforcing its upper limit for messages received starting this April.

It is worth noting Microsoft Exchange Online has always had an upper limit. This is a cap on the number of emails someone can receive. This upper limit only really bothers so-called “hot recipients”, users who receive thousands of emails each hour.

That upper limit is 3,600 but Microsoft has never really been strict about enforcing it. In other words, recipients were receiving over the upper limit without Microsoft stopping them. The company now says that will change.

In an effort to optimize Exchange performance across inboxes and deliver a unified capacity, the company will start enforcing that 3,600 emails per hour limit. According to Microsoft, mailboxes that pass this limit often see service disruptions for themselves and others.

New Method

To prevent this, Microsoft will throttle tenants receiving over the upper limit. Emails to mailboxes will get a non-delivery report if it is over the limit. Because the limit is hourly, Microsoft will continue to reset the threshold automatically each hour.

The company says the changes reflects in the following products:

  • Microsoft 365 Business Basic
  • Microsoft 365 Business Standard Office
  • Office 365 Enterprise E1
  • Office 365 Enterprise E3
  • Enterprise E5
  • Office 365 Enterprise F3

Microsoft new throttle and limit will come into action this April. The company says admins should be more wary of the number of mails they are receiving across mailboxes, especially if there are hot recipients.

To ease customers into the change, Microsoft will start the threshold above 3,600 and slowly reduce to help organizations adapt.

Tip of the day:

When Windows 10 runs into serious problems, it’s not rare to run into startup problems. Corrupted Windows files, incorrect system configuration, driver failure, or registry tweaks can all cause this issue.

Using Windows 10 startup repair can fix boot issues caused by the most prevalent issues. Though it may seem that all is lost when you run into startup problems, it’s important to try a Windows 10 boot repair so you can at least narrow down the source of the issue. If it doesn’t work, you may have to reinstall the OS or test your hardware.

Source Winbuzzer

read more
Exchange 2019

Security updates released for Exchange and SharePoint Servers 2010 to 2019


Microsoft recently released several security updates for Exchange Server and SharePoint Server to mitigate against proof-of-concept flaws in all recent versions of the product, including Exchange Server 2010, which left support in October – supposedly never to receive security patches again.

These updates should indicate the severity of the issues discovered. Although little has been published so far about this, Steven Seeley from Source Incite, who identified the vulnerability and reported it to Microsoft, explained that the flaw allows an attacker with low-privilege credentials (e.g., a user mailbox) to elevate to the SYSTEM account on the Exchange Server and retrieve information.

The vulnerabilities are not limited to one type either – and affect Exchange Web Services on Exchange 2016 and 2019, and the way information is retrieved via XML for OWA for Exchange 2013, 2016, and 2019.

On SharePoint Server 2010 to 2019 – which is less frequently installed on-premises but still a target, a similar XML-based exploit can be used and detected by the same researcher.

Less information is available about the Exchange Server 2010 exploit, which appears to be vulnerable by using the Exchange Management Shell. According to Microsoft, this can be exploited by using cmdlet arguments by an authenticated user. Most importantly, Microsoft considered this serious enough to release a new update rollup to resolve.

Exchange Server Patches

Download updates for Exchange Server below. You’ll find links to the relevant CVEs on each page.

  • Description of the security update for Microsoft Exchange Server 2010 Service Pack 3: December 8, 2020
  • Description of the security update for Microsoft Exchange Server 2013: December 8, 2020
  • Description of the security update for Microsoft Exchange Server 2019 and 2016: December 8, 2020

SharePoint Server Patches

Finally, you’ll find links to updates for SharePoint Foundation and SharePoint Server below, again alongside the relevant CVEs.

  • Description of the security update for SharePoint Foundation 2010: December 8, 2020
  • Description of the security update for SharePoint Foundation 2013: December 8, 2020
  • Description of the security update for SharePoint Enterprise Server 2016: December 8, 2020
  • Description of the security update for SharePoint Server 2019: December 8, 2020

If you have any questions, please let us know in the comment section.

Source Practical365

read more
Exchange 2019

Switching off legacy authentication for Exchange Online


Keeping legacy authentication enabled in your Microsoft 365 tenant should be avoided; however, going ahead and disabling has traditionally been difficult. Unless you already have a good understanding of your clients, it may present a risk.

Recent improvements to Exchange Online make this simple to configure, and you can now retrieve the information you need to identify potential clients that might be affected.

In this article, we will walk through the process to identify clients using legacy authentication, then utilize the new functionality available to Exchange Online to disable legacy auth for selected protocols.

Reviewing legacy sign-ins to Exchange Online

Before disabling legacy authentication for Exchange Online, it is essential to ensure that clients won’t be affected or prevented from signing in, or if they will, gather enough information so that you can inform people who will be impacted.

You can do this in the Azure Active Directory portal by reviewing sign-in logs using dedicated capabilities to filter based on legacy authentication. To do this, navigate to the Azure AD portal and then select Sign-ins under Monitoring.

Learn more: Introducing Certificate-Based Authentication for Exchange Online Remote PowerShell with Microsoft MVP Vasil Michev

In this section, you will see all sign-in attempts to Azure AD, including sign-in to all Microsoft 365 services from all your clients. We’ll first make sure the information we need is clearly displayed by adjusting the columns displayed by adding client app, as shown below:

client app

Next, we’ll use Add filters to add a filter based on client app:

add filters

The filter for client app will allow us to reduce the list shown to only relevant clients. To do this, expand the filter and from the drop-down list only select the protocols listed under Legacy authentication clients:

Legacy authentication clients

This list is likely to show us both successful and unsuccessful sign-ins. Whilst unsuccessful sign-ins are a concern; we will focus on successful sign-ins to gain insight into what should be real sign-ins from our users. We’ll do this by using Add filters to add a filter based on Status:


We’ll then change the filter for Status to only show results that are a Success:

Status: success

You will then see what may be a long list of sign-ins from legacy authentication clients to Exchange Online. You can expand this using the Date filter to up to one month to gain more insights and use Download to export a list for review.

In the example below, we can see that many users widely use exchange Activesync. Therefore before disabling this protocol, we’ll need to move them to a modern-authentication capable client such as the Outlook App.

Learn more: How to Migrate Exchange Mailbox Permissions with Mike Weaver

If you examine the list and want to understand which legacy authentication protocols are not in active use and can be immediately disabled, then re-open the Client app filter and unselect protocols shown in your results. By unselecting Exchange Activesync, we will be able to see other protocols in active use then easily:

Exchange ActiveSync

We will repeat the process by removing other protocols in active usage until no results are shown. In the example below, we have discovered quickly that only Activesync and Exchange Web Services are in use, and there are no sign-ins over the last month from any other clients.

Exchange ActiveSync and Exchange Web Services

Selectively switching off legacy authentication

After discovering which protocols are not in active use, we are in a position where it becomes low-risk to disable legacy authentication.

Instead of using Exchange Online PowerShell, we can now use the Microsoft 365 admin center to disable legacy authentication for Exchange Online on a protocol-by-protocol basis affecting all users. To do this, navigate to Settings>Org Settings and choose Modern authentication from the services list. In the Modern authentication page, we’ll disable the legacy protocols no longer in use:

Modern authentication

You’ll note in the example above; we’ve disabled legacy authentication for IMAP4, POP3, Exchange Online PowerShell, and Autodiscover. For Exchange Online Powershell, this means you must use either the V2 module or the deprecated V1 module that supports MFA. By disabling legacy authentication to Autodiscover, we will prevent additional legacy clients from attempting to discover Exchange Online information.

Because we know legacy Activesync is in use in our organization and there is a small amount of active legacy Exchange Web Services usage, we’ll leave these protocols enabled.

Once we are happy with the settings, we’ll choose Save to apply these to all Exchange Online clients.

Disabling Legacy Authentication for all Exchange Online services

Using our sign-in log information, we will upgrade or reconfigure discovered clients to use modern authentication. After re-running the steps to filter Azure AD sign-ins and confirming we no longer have any active usage of legacy authentication, we’ll re-visit the Microsoft 365 admin center and disable legacy authentication for all Exchange Online protocols:

Modern authentication options

Further improving security for Microsoft 365 and Exchange Online

Disabling legacy authentication to Exchange Online isn’t the panacea of Microsoft 365 security – it is just one step towards helping keep the environment secure from particular threats, like password spray attacks.

Suppose you have Microsoft 365 E3, Microsoft 365 Business Premium, EMS E3, or Azure AD Premium licenses. In that case, you should consider configuring Conditional Access in your environment to selectively enable Azure Multi-Factor Authentication or configure rules to only allow access to your environment from Intune enrolled devices, Hybrid Azure AD domain-joined PC – or other criteria, such as IP address.

However, suppose you don’t have Conditional Access available. In that case, you may want to consider using Azure AD Security Defaults or (if you need it on a per-user basis) Office 365 multi-factor authentication. Azure AD Security Defaults is particularly useful if you wish to have a guided process over 14 days rather than immediately. It also provides additional MFA protection to privileged administrative actions in your tenant.

Source Practical365

read more
Exchange 2019

Microsoft Exchange Servers Targeted by New PowerShell Backdoors


Security researchers have discovered a pair of brand-new Microsoft PowerShell vulnerabilities following an attack on a Microsoft Exchange server. While the attacks are from last year, it seems the responsible group used a new method.

According to Palo Alto’s Unit 42 security team, a threat group called xHunt is responsible for the attack. This group has been known to target organizations in Kuwait, including a 2018 breach of the country’s government system.

A newer attack that occurred around August 22, 2019 shows the group has a new way of breaching targets. Specifically, two new PowerShell backdoors were used. One has been dubbed “TriFive” and other is called “Snugy.”

“Both of the backdoors installed on the compromised Exchange server of a Kuwait government organization used covert channels for C2 communications, specifically DNS tunneling and an email-based channel using drafts in the Deleted Items folder of a compromised email account,” say researchers from the Palo Alto team.

How it Happened

While last year’s attack has been discovered, researchers are not clear how the group succeeded in accessing a Microsoft Exchange server. The attack was reported over a year after it happened when an organization found suspicious commands though the Internet Information Services (IIS) process w3w.exe.

On the server, the team says it “did discover two scheduled tasks created by the threat actor well before the dates of the collected logs, both of which would run malicious PowerShell scripts. We cannot confirm that the actors used either of these PowerShell scripts to install the web shell, but we believe the threat actors already had access to the server prior to the logs.”

Two scheduled tasks “ResolutionHosts” and “ResolutionsHosts” were used in c:\Windows\System32\Tasks\Microsoft\Windows\WDI to persistently run PowerShell scripts every 30 minutes and every five minutes.

“The scripts were stored in two separate folders on the system, which is likely an attempt to avoid both backdoors being discovered and removed,” add the researchers.

Source Winbuzzer

read more
Exchange 2019

Microsoft: ‘Expect a bumpy ride’. These are 2019’s top 10 tech challenges


Microsoft president Brad Smith reckons the tech sector could be in for a “bumpy ride” in 2019, with new US national privacy regulation, an ongoing trade war with China, a US resistant to diplomatic responses to hacking and election meddling, and regulatory responses to artificial intelligence.

Key changes that could broadly affect the tech sector include a proposal by the Department of Commerce in November to add artificial intelligence to its controlled exports schedule due to their importance to national security.

Smith, who’s also Microsoft’s chief legal counsel, says across both sides of American politics there is “greater appreciation of China’s momentum in artificial intelligence and other technology and heightened concern about its economic and national security implications”.

Smith doesn’t mention Donald Trump but notes the “steady wave of US tariff increases on Chinese imports” that the US President hoped would boost Chinese purchases of American products, though not necessarily technology products.

Last year Apple CEO Tim Cook called for regulation of internet companies, while Facebook CEO Mark Zuckerberg grew to accept that new rules will come. Smith writes that last year saw broadening acceptance among tech leaders of the need for some regulation.

But what type of regulation could the US introduce? Smith points to a paper from Democrat Senator Mark Warner from Virginia. The paper proposes a duty on social-media platforms like Facebook to, in Smith’s words, “determine the origin of accounts or posts, identify bogus accounts and notify users when bots are spreading information”.

“Warner has played a steady leadership role on the Senate Intelligence Committee, and the coming months will likely put added spotlight on these ideas,” writes Smith.

He’s also upbeat about the prospect for national privacy legislation, thanks to California’s new privacy laws. The laws, considered the toughest in the nation, allow customers to request companies stop collecting and selling personal data.

“Look to the next few months for the spread of privacy legislation to several other state capitals, all of which will set the stage for an even bigger debate on Capitol Hill,” writes Smith.

Smith called French President Emanuel Macron’s effort to find a diplomatic solution to state-sponsored hacking and election meddling “last year’s biggest step” to address these attacks on democracy.

Smith notes that Macron’s Paris Call signatories included all EU members and 27 of 29 NATO allies, but not the US. “The New Year brings a new opportunity to bring everyone together,” he writes.

He also expects lawmakers to debate artificial intelligence in early 2019. In December, Smith outlined why Microsoft’s believed new laws are immediately required to regulate the use of facial-recognition technologies.

“The early months of 2019 will see the legislative focus in the US shift to state capitals, with the issue likely to move to Washington, DC before the year ends,” he writes.

“In the EU, authorities are monitoring facial recognition and other biometric techniques under the GDPR, and the European Commission has started reviewing the ethical issues more broadly. Globally, this is an issue that’s just getting started.”

read more