Exchange 2019

Microsoft is going to war on traditional methods of authentication. We have seen how the company is targeting a passwordless future on Azure, but on Microsoft Exchange the company is also removing Basic Authentication.

In fact, the company says by October 2022, support for Basic Authentication will be disabled on Microsoft Exchange. According to the company, this “an outdates industry standard” and evolving cyberthreats can too easily bypass it.

If you are unfamiliar with the terms Basic Authentication, it is essentially the ability to login to an account with a username/email and a password. In other words, Microsoft is now pushing its passwordless movement to Exchange.

Exchange Online MRM Still Valuable Even with Microsoft 365 Retention

On August 4, Microsoft refreshed their guidance on using “older retention feature” in their documentation for Microsoft 365 retention policies and labels. Basically, Microsoft’s message is “If you currently use these older features, they will continue to work side by side with Microsoft 365 retention policies and retention labels. However, we recommend that going forward, you use Microsoft 365 retention policies and retention labels to benefit from a single solution to manage both retention and deletion of content across multiple workloads in Microsoft 365.”

Generally, I don’t have much argument with the assertion that tenants should use Microsoft 365 retention policies whenever possible. This technology is, after all, where Microsoft dedicates development effort to improve and enhance capabilities in areas like auto-labeling. However, I consider the Exchange Online Message Records Management (MRM) and its associated retention policies and retention tags to be extraordinarily useful and definitely not ready yet to be ignored. This is especially true for tenants who don’t have the Office 365 E3 or E5 licenses necessary for Microsoft 365 retention policies. Any Exchange Online license covers mailbox retention policies, so that’s a big plus point for many organizations.

The Charms of Mailbox Records Management

Microsoft’s preference for the newer form of retention policies is understandable. Their strategy is to create and deploy retention policies which are workload agnostic, meaning that the same form of retention processing works against Exchange Online, SharePoint Online, OneDrive for Business, Teams, Yammer, and other workloads as they become available. The strategy is good and effective, but its implementation suffers from a lack of granularity and precision because it’s based on container processing. In other words, Microsoft 365 retention processing works against entire mailboxes, sites, or teams and can’t extend to a more granular level, like mailbox folders. You can certainly apply Microsoft 365 retention labels to specific folders, but the retention policies operate against containers.

The second limitation is that because retention policies are workload agnostic, they cannot accommodate special processing for specific workloads. Exchange Online enterprise mailboxes (with Exchange Online Plan 2 or above) can be archive-enabled. An archive mailbox is a great place to hold old email that you seldom need to access but might want to consult at some point in the future. I have archives holding email from 15 years ago. No one should use PSTs for this purpose – the information is much safer when it’s in an archive mailbox.

In 2015, Microsoft enabled auto-expanding archives and made a very big deal of the fact that archive mailboxes could expand in 50 GB “chunks” to accommodate very large amounts of data (the “bottomless archive”). In November 2019, Microsoft realized that some users were dumping huge quantities of data into archives, and they attempted to restrict archive mailboxes to 1 TB. The latest guidance reverts to unlimited auto-expanding archives, which is good. It comes with the caveat that archive growth should be no more than 1 GB/day. This is to limit organizations using Exchange Online archives as migration targets for data from legacy on-premises systems.

Managed Folder Assistant is Key to Retention Processing

Microsoft makes the point that “An archive policy (with any settings) can be used in conjunction with a Microsoft 365 retention policy that applies to a user’s primary and archive mailbox.” This is absolutely true, and it’s because the Exchange Managed Folder Assistant (MFA) applies the directions contained in Microsoft 365 retention policies, Microsoft 365 retention labels, Exchange Online mailbox retention policies, and Exchange Online retention tags (default, folder, and personal) when it processes mailbox contents. MFA used to process retention policies for Teams chats and channel messages stored in Exchange Online mailboxes, but given the advent of support for private channel messages and Yammer messages, Microsoft has now moved this processing to a new background retention assistant.

But what Microsoft 365 retention policies cannot do is define a retention setting for individual default mailbox folders (like Inbox, Deleted Items, etc.) or apply a default archive tag for mailboxes (a Microsoft 365 retention policy can act like a default delete tag). The mailbox retention policies assigned in my tenant have a default archive tag to move items to the archive after two years and a default delete tag to remove messages after ten. Other tags clear out folders like Junk email after 30 days. One irritation is that Microsoft has not moved mailbox retention policies to the new EAC (and might never do so), meaning that you need to go to the legacy EAC to work with policies and tags (Figure 1).

Outlook clients deal with Microsoft 365 retention labels just like personal retention tags and combine the set of tags and labels published to mailboxes to allow users maximum flexibility for retention. Figure 2 shows an extreme example (from my mailbox) where the set of retention labels are a combination of both types. You can see, for instance, that OWA offers a choice between labels to perform a “1 week delete” (Exchange MRM) and “Remove after 1 week” (Microsoft 365).

The Microsoft 365 retention labels are more powerful because they enable capabilities like manual disposition, but both types do a good job of removing messages after a certain period.

Use Microsoft 365 Retention as Default and Combine When Necessary

My case is not that Exchange MRM is better than Microsoft 365 retention. MRM obviously lags in many areas, if only because it is technology that has not evolved recently because Microsoft dedicated its resources to build out the workload-agnostic retention capabilities. MRM is based on what’s available for Exchange Server on-premises, and it meets the needs of organizations who want to operate the same information governance on both sides of the hybrid divide.

For now, the right thing to do is to view the combination of Exchange MRM and Microsoft 365 retention as a toolset for email retention. If you can do what’s required by the organization’s information governance policy using Microsoft 365 retention policies and labels, then there’s no need to go anywhere near Exchange MRM. On the other hand, if you need some extra flexibility, you might find it in MRM.

In terms of durability, I suspect that Microsoft will have to keep MRM in Exchange Online until the last Exchange on-premises server in a hybrid tenant is removed. Alternatively, Microsoft might be able to accommodate Exchange archiving in Microsoft 365 retention policies without compromising their workload-agnostic strategy. That step might be enough to convince those using MRM today to move everything to Microsoft 365 retention.

Source Practical365

U.S. President Joe Biden has asked the leaders to the three largest tech companies to the White House to seek methods for private companies to fight against cyber attacks. Microsoft CEO Satya Nadella, Apple CEO Tim Cook, and Amazon CEO Andy Jassy will all attend the upcoming meeting.

According to Bloomberg, the Biden administration is concerned about the increasing number of attacks against government organizations and infrastructure. Biden has spoke about state-sponsored attacks, including telling Russian president Vladimir Putin that such attacks should be “off limits”.

Biden describes the U.S. as at risk from cyberattacks. Many such threats are born from software services used by government organizations. Those software integrations are mostly provided by giants like Microsoft, Google, Amazon, etc.

Joining Jassy, Cook, and Nadella will be executives from IBM, Google, JPMorgan Chase, and Southern Co. Microsoft, IBM, and Amazon (Web Services), along with FireEye and Cisco are also part of a government program to protect critical infrastructure. It is unclear if the other tech giants will join the effort.

Microsoft Attacks

As the leading enterprise software provider and the second biggest cloud service provider, Microsoft bears the brunt of cyber attacks.

This year, Microsoft Exchange Server was successfully attacked through an exploit first used by the HAFNIUM group. More hackers have since leveraged the exploit for their own attacks. Microsoft sent out patches for all versions of the service, including those out of support. Although, these patches need users to install the update. Attacks on Microsoft Exchange are ongoing and are the biggest attack threat of 2021.

Even more so than the SolarWinds vulnerability that was exploited by the Solarigate malware

Tip of the day: Due to the various problems that arise with microphones, it can often be necessary to perform a mic test, but those wondering how to hear yourself on mic in Windows 10 are often left stumped. Microsoft’s OS doesn’t make it especially intuitive to listen to microphone playback or play the microphone through speakers. In our tutorial we show you how to hear yourself on mic with just a few clicks.

Source Winbuzzer

After a company has effectively migrated to Microsoft 365 and adopted new cloud services, the number of objects, like users, guests, and groups in a tenant is constantly growing. The same applies to Exchange Online.

Even if you’ve followed guidance for Microsoft 365 group expiration or identity lifecycle management, the result is comparable – the number of objects that you are managing is increasing, becoming more of a challenge for administrators. In this article, we’ll examine how to manage Exchange Online at scale using PowerShell.

Maintaining large sets of objects

As we’re all aware, Microsoft is constantly developing different portals and admin centers for admins to use daily for managing the service. Recently, Microsoft announced the new admin center for Exchange as generally available.

One of the drivers for the new portal is performance and the ability to perform bulk operations. It is REST-based and shaped for minimizing your wait time, reducing errors, and much more. Simply put – it can improve your experience as an administrator.

PowerShell can empower

Despite the improvements to the new admin center for Exchange, it remains limited in terms of functionality and leaves room for performance gains. To see improvements, you must move away from the admin center and use PowerShell. For Exchange Online specifically, you want to install and make use of the Exchange Online PowerShell (EXO) V2 module.

This module combines the legacy as well as the new cmdlets. As of today, nine new cmdlets leverage the new REST-based architecture. Nine may not seem like that much – but think about that in relation to the operations you perform daily, and they are quite sufficient.

Most commands that you use are for retrieving mailbox or recipient attributes or statistics – such as information about the mailbox or all folders within a mailbox.

The new cmdlets allow you to reduce the number of requested attributes, which results in less data transferred over the wire. The ability to do this is called Property sets.

Combining the new cmdlet architecture with smaller improvements like using Property Sets can lead to increased performance. However, since Property Sets are not defined automatically you need to be aware of what you’ll need to retrieve when updating your scripts to the new cmdlets.

Aside from a new architecture, the usage of PowerShell unlocks several tasks. You can easily perform bulk operations based on your filtering, and it also allows you to gather properties that are not even visible in the new Exchange admin center.

Server-side filtering is more important than you might realize

It’s important to emphasize that currently, Microsoft recommends using client-side filtering for optimal performance using the Exchange Online V2 module. However, this applies only to this module.

Below is a brief example, highlighting the difference:

In the first example, the filtering takes place after your client has received all the items. The second example asks the server to filter on the cloud side, and then send the result to the client. This has at least two implications that mean the results from each example provide different output.

First off, we specified the parameter “-ResultSize 20000.” This means we will receive 20000 mailboxes, however, it is likely the collection contains several types of objects in addition to UserMailbox. For example:

Secondly, this demonstrates another issue – you might not retrieve all objects you expect. As you can see in the example above only 13219 are UserMailbox.

When using the server-side filter, however, we will receive the correct result:

Therefore, it can be worth taking a performance hit when using the server-side filter to ensure you receive accurate results.

Use Microsoft Graph with PowerShell for maximum performance

It should be noted that if you need to modify objects using PowerShell, you are limited to the Exchange Online V2 PowerShell module. Unfortunately, Microsoft Graph currently does not provide a way for altering Exchange Online attributes.

However, that does not mean you cannot use Microsoft Graph at all. Since it is intended to retrieve data quickly, you can bypass the overhead of the Exchange Online V2 module for filtering data you want to retrieve.

When you do this, you must make sure that the filter you want to use is supported by Microsoft Graph. But for most scenarios, you should be able to. The full list of query parameters supported by Microsoft Graph is available on Microsoft Docs.

Before you do combine the use of the Exchange Online V2 module with Graph scripting, you need to consider whether it’s worthwhile. To give some insight as to when this will make a difference, consider that overhead for certain modules can make a huge difference.

In an on-premises environment, you can leverage LDAP queries with a filter and passing the result to Exchange. With this, you improve dramatically the overall performance as LDAP is optimized for queries. The same principle applies to Microsoft Graph.

Here is an example of a query using the Exchange module and the corresponding using Microsoft Graph:

Multi-threading your PowerShell scripts provides another option for performance improvement

While this technique is more advanced, it can improve performance to a level you have not yet seen.

Multi-threading, put simply, means that you fork several threads (which you could think of as a sub-process) from your running PowerShell script and have every thread running your code on both your client and on the server-side. This technique is primarily useful for gathering data. The advantage is that you perform a scale-out for your job and several threads work in parallel instead of sequential order for you. The Exchange Online V2 PowerShell module uses this in the architecture. To give you an idea of the power of using multi-threading, take a look at the first single-threaded example:

In the second example using multi-threading we see a 44% improvement in retrieval time:

Managing multiple Exchange Online environments from one PowerShell session

Another feature of the new Exchange V2 module is the ability to connect to multiple tenants in one PowerShell session. This can be extremely helpful during tenant-to-tenant migrations. But, you’ll need to take care of some important pre-requisites and limitations before using the feature:

• You’ll need to ensure that you prefix each connection – without doing this, you will retrieve only objects from the last established session.
• The new cmdlets Get-EXO* are already prefixed and will be available ONLY to the last established connection

In the following example, I connected to a source and target tenant. As the new cmdlets are only available to the last established connection, I connect first to the target as I want to leverage the new cmdlets for gathering data:

Note: To distinct the objects from the tenants, I selected PrimarySmtpAddress and UserPrincipalName.

I used the following commands and order:

Summary

I hope this article provided you with the information and motivation to begin looking into other ways of managing your Exchange Online environment when you have many objects to manage, and/or on a large scale.

Remember, you can use more than the Exchange Online V2 module for PowerShell management. You should try and leverage multiple tools, such as Microsoft Graph to improve the performance of your scripts and administrative tasks. Using these techniques you can build a solid foundation to reduce the time it takes to retrieve information and statistics from your environment, and build scripts to automate routine tasks.

Source Practical365

Default Enabling of Plus Addressing Might Affect Some Recipients

In September 2020, Microsoft introduced the ability to use plus addressing in Exchange Online. Plus addressing is not a deep and dark email technique. It’s supported by consumer mail systems like Outlook.com and Gmail and many other email systems. Plus addressing means that users can send messages using their normal email address (like Chris.Bishop@Office365itpros.com) with an optional suffix separated by a plus characters. The suffix is an arbitrary tag selected by the user for whatever purpose they choose.

The biggest use of plus addressing is probably when people sign up for online services. Using a plus address allows the user to know if a service sells their address to another business. For instance, the person with the address shown above might use an address like Chris.Bishop+P365@Office365itpros.com to subscribe to the Practical 365 newsletter (Figure 1). Messages sent to the address go to the Office365itpros.com server, which strips the suffix from the message and delivers it to the mailbox with the Chris.Bishop@Office365itpros.com address. Later, if the user sees a message sent to the plus address from another source, they know that the sending domain has obtained it from the original service they signed up for.

Current Control for Plus Addressing

When Microsoft introduced plus addressing into Exchange Online, the capability was optional and controlled by the AllowPlusAddressInRecipients setting in the Exchange Online organization configuration. If $False, Exchange Online didn’t support user-initiated plus addressing and the only way to use a plus address was if an administrator created one as a proxy address for a mail-enabled recipient (mailbox, shared mailbox, Microsoft 365 group, or distribution list). In effect, when the setting is $False, Exchange Online doesn’t strip the plus segment from an address and attempts to match the complete address string against addresses in its directory.

User-initiated plus addressing means that individual users can choose the tags for plus addresses. To allow this, you need to update the AllowPlusAddressInRecipients setting to $True. Here’s how to update the setting with the Set-OrganizationConfig cmdlet:

What’s changing now (MC276028, August 6) is that Microsoft plans to remove the optional organization setting to make plus addressing available by default in all tenants in January 2022. In other words, you won’t have to enable anything and plus addressing will be available to all users.

The reason for the five-month notice period is that enabling plus addressing throughout Exchange Online has a consequence for tenants where proxy addresses for plus addresses exist. As Microsoft says: “If you don’t stop using email addresses with plus signs (+), Exchange Online may be unable to deliver emails to them when plus addressing is turned on for the entire service.” This includes both hybrid and on-premises mailboxes.

Reporting Recipients with Proxy Addresses

Microsoft recommends that tenant administrators should remove any proxy addresses containing plus characters before January 2022 as Exchange Online will be unable to deliver email to these addresses. A quick way to find out if you’re affected is to run this code:

A more developed (aka useful) version of the command which isolates and reports the plus addresses is as follows:

The output is on-screen (Out-GridView – Figure 2) plus a CSV file that we can use to check the addresses and remove them from the recipients to prepare for the change coming in January 2022.

Removing Proxy Addresses from Recipients

The code to read and remove plus addresses from recipients is straightforward. We import the CSV file and use a Switch to call the correct command to update the recipient based on its type. As you can see, the code accommodates user mailboxes, shared mailboxes, group mailboxes, and distribution lists.

After running the code to clean up the plus addresses from mail-enabled recipients, you shouldn’t notice any issues when Microsoft makes the big switch in January 2022. At least, that’s the theory!

Source Practical 365

Keep on Patching

Fifteen weeks on from the Hafnium fiasco, I hope those responsible for Exchange Server maintenance haven’t forgotten the need to keep their on-premises fully patched and up to date. Microsoft has released security updates to address issues like the remote code vulnerability reported in CVE-2021-34473 and CVE-2021-31206. The updates apply to:

• Exchange Server 2013 CU23.
• Exchange Server 2016 CU20 and CU21.
• Exchange Server 2019 CU9 and CU10.

All servers, including those used for hybrid account management, must be updated.

Obviously, if you haven’t updated Exchange Server to one of the releases updated above, some extra effort is necessary to get to a suitable build.

Like taking a second vaccination dose to protect against Covid-19, full protection isn’t assured unless you also apply an Active Directory schema update. If you’re running Exchange 2016 CU21 or Exchange 2019 CU10, you’re already protected. Those running Exchange 2016 CU20 or Exchange 2019 CU9 need to extend the schema using the June 2021 cumulative updates.

For Those Running Exchange 2013

While Exchange 2016 and 2019 received schema updates through cumulative updates, Exchange 2013 was not updated in June 2021. Special processing is therefore needed for Exchange 2013 servers when Exchange 2013 is the latest server version in the organization (if it’s not, the schema updates are done when cumulative updates are applied to Exchange 2016 or 2019).

• Go ahead and install the security update for Exchange 2013 CU23. This leaves some updates schema files on the server but does not install them. Microsoft uses the security update to distribute the schema files to servers in the absence of a cumulative update.
• When you’re ready to extend the schema, run Setup.exe to perform the update (/prepareschema from v15\Bin). Setup will use the updated schema files left by the security update to apply the changes to Active Directory.

As always make sure that you apply Exchange server updates using an administrator account with elevated permissions.

Block the Attackers

One of the lessons we learned from Hafnium is how easy it is for attackers to exploit new weaknesses discovered in on-premises servers. The imperative is for administrators to stay on top of problems by installing security updates as soon as possible after Microsoft releases code. If you don’t, your servers might be on the target list for the next attack, and that wouldn’t be nice.

Source Practical365

Microsoft Exchange Server has been the talk of the cybersecurity world during the first months of 2020. A major vulnerability allowed state sponsored threat actors to breach the servers of tens of thousands of customers. Microsoft has now released a new update of security patches for Exchange Server.

This latest release tackles new Remote Code Execution (RCE) flaws in the platform. Microsoft is warning customers to update their Exchange Server as quickly as possible, although no exploit for these vulnerabilities has been observed in the wild. The company was told of the vulnerabilities by the National Security Agency (NSA).

Microsoft Exchange Server is in the midst of an attack through an exploit first used by the HAFNIUM group. More threat groups have since targeted the exploit. Microsoft has sent out patches for all versions of the service, including those out of support.

Microsoft says updating Exchange Server is the best way to avoid the exploit. Furthermore, the company has launched a tool to help customers know if they have been breached.

These security updates are specifically for Microsoft Exchange Server 2013 CU23, Exchange Server 2016 CU19/CU20, and Exchange Server 2019 CU8/CU9. If you don’t run any of those cumulative updates, you should update to those versions first. One you have, the latest patches can be applied and Exchange Server should be protected against the old vulnerabilities and the new ones.

Tackling the Ongoing Problem

The attacks on Microsoft Exchange Server customers is ongoing, although more organizations are now patching. There’s a chance many businesses have been attacked and the FBI is now targeting these exploits.

In a statement this week, the Department of Justice confirmed the FBI has the authorization to remove web shells on compromised servers if they are related to the exploit. While that’s a nice backup for organizations, it is worrying that the FBI can do this without the customer knowing.

“Many infected system owners successfully removed the web shells from thousands of computers. Others appeared unable to do so, and hundreds of such web shells persisted unmitigated,” the department said.

“This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to US networks.”

Tip of the day:

With many reachable wireless access points popping up and disappearing again, the available networks list can become quite annoying. If needed you can use the allowed and blocked filter list of Windows 10 to block certain WiFi networks or all unknown WiFi networks.

Source Winbuzzer

As we reported yesterday, Microsoft Exchange Server is in the midst of an attack through an exploit first used by the HAFNIUM group. In response to the ongoing problem, President Joe Biden is now launching an emergency taskforce to manage the massive attack.

By using remote back access attacks against Microsoft Exchange Server, threat actors can access email accounts. 30,000 organizations have already been impacted by the vulnerability. All the critical vulnerabilities are found in Exchange Server 2019, 2016, and 2013. Only Exchange Online has escaped the flaw.

The vulnerabilities are as follows:

• CVE-2021-26855: CVSS 9.1
• CVE-2021-26857: CVSS 7.8
• CVE-2021-26858: CVSS 7.8
• CVE-2021-27065: CVSS 7.8

Following the Cybersecurity and Infrastructure Agency (CISA) issuing a warning on Saturday, the Biden administration is also getting involved. White House press secretary Jen Psaki says the attack is “a significant vulnerability that could have far-reaching impacts.”

“First and foremost, this is an active threat,” she said. “We are concerned that there are a large number of victims and are working with our partners to understand the scope of this.”

Checks

The messages from CISA, the White House, and Microsoft is clear; Microsoft Exchange Server users must update to issue patches Microsoft has already sent out. Failing an update, customers should scan their servers to ensure they have not been exploited.

For those in that bracket, Microsoft yesterday launched a tool to help see if their Exchange Server is compromised.

Specifically, an update for its free Exchange server Indicators of Compromise tool allows users to scan server logs for problems. Microsoft and security researchers say the best way to mitigate against the exploit is to ensure Exchange Server installations are up to date.

“These vulnerabilities are used as part of an attack chain,” Microsoft says. “The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.”

Tip of the day:

If your PC keeps connecting to the wrong WiFi network, you can set WiFi priority to avoid the need to manually select access points over and over again.

Source Winbuzzer

Microsoft says it is going to take a stricter position on the number of emails that Microsoft Exchange Online can accept. The company’s email hosting service, which underpins the Outlook experience, will start enforcing its upper limit for messages received starting this April.

It is worth noting Microsoft Exchange Online has always had an upper limit. This is a cap on the number of emails someone can receive. This upper limit only really bothers so-called “hot recipients”, users who receive thousands of emails each hour.

That upper limit is 3,600 but Microsoft has never really been strict about enforcing it. In other words, recipients were receiving over the upper limit without Microsoft stopping them. The company now says that will change.

In an effort to optimize Exchange performance across inboxes and deliver a unified capacity, the company will start enforcing that 3,600 emails per hour limit. According to Microsoft, mailboxes that pass this limit often see service disruptions for themselves and others.

New Method

To prevent this, Microsoft will throttle tenants receiving over the upper limit. Emails to mailboxes will get a non-delivery report if it is over the limit. Because the limit is hourly, Microsoft will continue to reset the threshold automatically each hour.

The company says the changes reflects in the following products:

• Microsoft 365 Business Basic
• Microsoft 365 Business Standard Office
• Office 365 Enterprise E1
• Office 365 Enterprise E3
• Enterprise E5
• Office 365 Enterprise F3

Microsoft new throttle and limit will come into action this April. The company says admins should be more wary of the number of mails they are receiving across mailboxes, especially if there are hot recipients.

To ease customers into the change, Microsoft will start the threshold above 3,600 and slowly reduce to help organizations adapt.

Tip of the day:

When Windows 10 runs into serious problems, it’s not rare to run into startup problems. Corrupted Windows files, incorrect system configuration, driver failure, or registry tweaks can all cause this issue.

Using Windows 10 startup repair can fix boot issues caused by the most prevalent issues. Though it may seem that all is lost when you run into startup problems, it’s important to try a Windows 10 boot repair so you can at least narrow down the source of the issue. If it doesn’t work, you may have to reinstall the OS or test your hardware.

Source Winbuzzer

Microsoft recently released several security updates for Exchange Server and SharePoint Server to mitigate against proof-of-concept flaws in all recent versions of the product, including Exchange Server 2010, which left support in October – supposedly never to receive security patches again.

These updates should indicate the severity of the issues discovered. Although little has been published so far about this, Steven Seeley from Source Incite, who identified the vulnerability and reported it to Microsoft, explained that the flaw allows an attacker with low-privilege credentials (e.g., a user mailbox) to elevate to the SYSTEM account on the Exchange Server and retrieve information.

The vulnerabilities are not limited to one type either – and affect Exchange Web Services on Exchange 2016 and 2019, and the way information is retrieved via XML for OWA for Exchange 2013, 2016, and 2019.

On SharePoint Server 2010 to 2019 – which is less frequently installed on-premises but still a target, a similar XML-based exploit can be used and detected by the same researcher.

Less information is available about the Exchange Server 2010 exploit, which appears to be vulnerable by using the Exchange Management Shell. According to Microsoft, this can be exploited by using cmdlet arguments by an authenticated user. Most importantly, Microsoft considered this serious enough to release a new update rollup to resolve.

Exchange Server Patches

Download updates for Exchange Server below. You’ll find links to the relevant CVEs on each page.

• Description of the security update for Microsoft Exchange Server 2010 Service Pack 3: December 8, 2020
• Description of the security update for Microsoft Exchange Server 2013: December 8, 2020
• Description of the security update for Microsoft Exchange Server 2019 and 2016: December 8, 2020

SharePoint Server Patches

Finally, you’ll find links to updates for SharePoint Foundation and SharePoint Server below, again alongside the relevant CVEs.

• Description of the security update for SharePoint Foundation 2010: December 8, 2020
• Description of the security update for SharePoint Foundation 2013: December 8, 2020
• Description of the security update for SharePoint Enterprise Server 2016: December 8, 2020
• Description of the security update for SharePoint Server 2019: December 8, 2020

If you have any questions, please let us know in the comment section.

Source Practical365