Remediating Microsoft Exchange Vulnerabilities

Note: CISA will continue to update this web page as we have further guidance to impart.

For Leaders:

An adversary can exploit this vulnerability to compromise your network and steal information, encrypt data for ransom, or even execute a destructive attack. Leaders at all organizations must immediately address this incident by asking their IT personnel:

  • What steps your organization has taken;
  • Whether your organization has the technical capability to follow the guidance provided below; and
  • If your organization does not have the capability to follow the guidance below, whether third-party IT security support has been requested.

Leaders should request frequent updates from in-house or third-party IT personnel on progress in implementing the guidance below until completed.

For IT Security Staff:

As exploitation of these vulnerabilities is widespread and indiscriminate, CISA strongly advises all system owners complete the following steps:

  1. If you have the capability, follow the guidance in CISA Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities to create a forensic image of your system.
  2. (Updated March 31, 2021) Run the Microsoft Test-ProxyLogon.ps1 script to check for indicators of compromise (IOCs) related to this incident.
  3. (Updated March 31, 2021) Run the Microsoft Exchange On-premises Mitigation Tool (EOMT.ps1).
    According to Microsoft, this tool:

    •    Mitigates against current known attacks using CVE-2021-26855 via a URL Rewrite configuration.
    •    Scans the Exchange Server using the Microsoft Safety Scanner.
    •    Attempt to remediate compromises detected by the Microsoft Safety Scanner.
    Note: CISA recommends reviewing the EOMT.ps1 blog post for directions on using the tool.

  4. Immediately update all instances of on-premises Microsoft Exchange that you are hosting.
  5. If you are unable to immediately apply updates, follow Microsoft’s alternative mitigations in the interim. Note: these mitigations are not an adequate long-term replacement for applying updates; organizations should apply updates as soon as possible.
  6. If you have been compromised, follow the guidance in CISA Alert AA21-062A. For additional incident response guidance, see CISA Alert AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity. Note: Responding to IOCs is essential to evict an adversary from your network and therefore needs to occur in conjunction with measures to secure the Microsoft Exchange environment.

Note: see the figure below for a summary of the observed malicious activity placed into the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 8. See the Joint FBI-CISA Cybersecurity Advisory AA21-069A: Compromise of Microsoft Exchange Server for additional details.

Figure 1: MITRE ATT&CK Enterprise Techniques Observed (Source: Joint FBI-CISA Cybersecurity Advisory AA21-069A: Compromise of Microsoft Exchange Server)

Additional Resources: