Microsoft Exchange Emergency Mitigation (EM) Service: What You Need to Know
There is no doubt the past few months have been tough for Microsoft owing to the rising cases of cyber threats against its products. Following a series of attacks that leveraged zero-day exploits against Microsoft Exchange servers, Microsoft has released a new tool to help provide emergency mitigations. The new feature dubbed Microsoft Exchange Emergency Mitigation (EM) provides the fastest and easiest way to temporarily resolve threats to connected on-premise Exchange servers before your IT security team installs applicable security updates. This blog focuses on everything you should know about the Microsoft Exchange Emergency Mitigation (EM) Service.
Summary of Microsoft Exchange Servers Attack
Microsoft has suffered massive attacks after actors started exploiting unpatched ProxyShell vulnerabilities in Microsoft Exchange servers. The state-sponsored attackers have consistently targeted organizations with unaddressed flaws in their servers since the start of this year. The following is a summary of the slew of vulnerabilities that have impacted Microsoft Exchange so far:
- SolarWinds/NOBELLIUM attacks: The Microsoft Exchange customers were afflicted by the SolarWinds/NOBELLIUM attacks in early 2021. The latest SolarWinds/NOBELLIUM attacks by the Russian state-sponsored group, nobelium, and involved constant contact email marketing service.
- ProxyLogon vulnerability: In March 2021, the ProxyLogon vulnerability emerged. Of the four attacks, ProxyLogon was the most severe because it allowed attackers to bypass and impersonate administrators easily.
- ProxyOracle and ProxyShell attacks: In August 2021, a group of actors called Orange Tsai released a series of new vulnerabilities referred to as ProxyOracle and ProxyShell. Recently, Cybersecurity and Infrastructure Security Agency warned that the ProxyShell flaws were being exploited, which is an ongoing danger.
- ProxyToken attack: This was followed by yet another Proxy flaw dubbed ProxyToken. ProxyToken has been categorized as the authentication bypass vulnerability. With a lower severity rating on the Common Vulnerability Scoring System (CVSS) than the other threats.
To mitigate against these ongoing security issues and protect Exchange servers from increasing risk of cyber threats, Microsoft added the Microsoft Exchange Emergency Mitigation (EM) service in its September 2021 Cumulative Update (CU).
How Does the Microsoft EM Service Work?
The EM service is designed to reduce overreliance on manual patching and enable users to take a more proactive approach whenever threats are discovered. The mitigation service is explicitly designed to automatically disable functionality or features on an Exchange server facing various threats. To achieve this, the EM is designed to run as a Windows service that integrates with the cloud-based Office Config Service (OCS). Ideally, the tool runs hourly checks on the OCS for any vulnerability that require mitigation. The EM service will then download the XML and validate the signature to confirm the XML was not tampered with by checking the certificate chain and the Extended Key Usage. Several mitigations can be applied with the EM service. However, Microsoft has outlined three types of actions that can be taken:
- IIS URL Rewrite rule mitigation: This rule is designed to effectively block particular patterns of HTTP requests that could expose an exchange server to threats.
- Exchange service mitigation: The Exchange service mitigation disables a vulnerable service on an Exchange server.
- App Poll mitigation: The App Poll mitigation disables a vulnerable app pool on an Exchange server.
It is critical to keep in mind each mitigation provided by the EM service is a temporary interim fix. This means you will need to apply the ideal Security update to fix the vulnerability and achieve more robust protection effectively.
How Do I Obtain the EM Service?
The EM service has been included in the Cumulative Update 21 (CU21) for both the 2019 mailbox servers and the Exchange Server 2016. Before you access this Service, there are some prerequisites that should be on the Windows Server that has an installed Exchange. These include:
- IIS URL Rewrite Module.
- Universal C Runtime in Windows (KB2999226).
- Connectivity to URL officeclient.microsoft.com/* over TCP/443
You should keep in mind once CU21 is installed, the EM service is automatically enabled for each mailbox server. Additionally, Microsoft is not recommending the use of EM service for organizations using the Exchange Server without internet connectivity. Microsoft has since issued a statement to clarify the EM service can’t work without internet connectivity.
How to Manage the EM Service
The Emergency Mitigation tool comes with several new commands that help administrators take a more proactive control in managing the Service. The added commands allow you to disable the Service and block individual mitigations. The blocked mitigations are typically added to a blocklist to ensure they are not reapplied in the future.
If you accidentally reverse mitigation, the EM service will reapply it during the hourly checks for mitigations. However, you can reapply the mitigations manually by restarting the EM service.
How to Check Your EM Service Is Working
If you are wondering how you can confirm the EM service is working optimally, leverage the Test-MitigationServiceConnectivity.ps1 available on the script Exchange Server Scripts folder to do so. This tool provides metrics on successful connection and the general working condition of the Service.
Is the EM a Wholly Automated Service?
Notably, the Microsoft Exchange Emergency Mitigation service is not a wholly automated service. Ideally, your IT team will have to remove the mitigation once an SU patch for an identified vulnerability has been applied.
Mainstreet IT Solutions Provides Reliable Managed IT Services
As the leading provider of reliable managed IT solutions, Mainstreet IT offers a range of custom services designed to take your company’s IT burden off your shoulders. Whether you are looking for managed cybersecurity solutions, IT help desk, proactive support, monitoring and maintenance, security and compliance, backup and disaster recovery, or cloud migrations, Mainstreet IT Solutions has you covered.
Our ongoing managed services are designed to enable you to access the latest technologies, top-notch expertise, and innovative solutions for a fixed monthly rate. Our services are explicitly designed to ensure quick resolutions of issues, so you can maximize your productivity and increase profits.
We understand the magnitude of cyber threats currently impacting several organizations in the country. That is why we provide managed cybersecurity solutions designed to keep your network safe from today’s complex cyber threats. Our cybersecurity solutions include firewall and endpoint protection, real-time incident response, DDoS protection service, data breach prevention, dark web monitoring, malware protection, and more. Contact us today to request a quote and learn more.