Microsoft have announced plans to throttle, and eventually block, emails sent from on-premises and hybrid Microsoft Exchange Servers that remain unpatched.
“Persistently vulnerable” servers will receive incrementally stricter controls, beginning with throttling (delayed delivery) up to and including a complete block beyond 90-days, preventing onward delivery to other Microsoft-based email accounts such as those in Microsoft 365/Exchange Online and Outlook.com.
The dramatic move puts yet another large question mark over organisations relying on on-premises Exchange server hardware. While Exchange 2003, 2007, and 2010 are now rare, Exchange 2016 still remains in surprisingly widespread use, and many copies of Exchange 2019 are not regularly patched against known vulnerabilities.
Extra controls will apply to servers that run on outdated or unsupported software or haven’t been patched against known security bugs – to help Exchange admins identify unpatched or unsupported on-premises Exchange servers, and allowing them a chance to upgrade or patch before they become security risks.
Even in 2023, A simple Shodan search still shows thousands of Internet-exposed Exchange servers, with many still waiting to be secured against attacks targeting them with ProxyLogon and ProxyShell exploits, two of the most exploited vulnerabilities from 2021.
For cyber security advice and expertise, please contact our team today.
Microsoft have acknowledged a critical new zero-day vulnerability with Outlook, that does not require any user interaction with an email to be triggered.
Reported by the Ukrainian Computer Emergency Response Team (CERT) to Microsoft and graded 9.8/10 on the severity scale according the NIST, the exploit is believed to have already been used by a “Russia-based threat actor” in attacks against European targets across government, transport, energy and military sectors.
The exploit (CVE-2023-23397) abuses the way Microsoft Outlook attempts to follow links in emails to retrieve remote content, even before they’re opened or viewed in the preview pane – allowing a remote attacker’s server to request authentication via an old technology known as NTLM, and automatically receive poorly encrypted username and password details from Outlook. NTLM was officially retired by Microsoft after Exchange 2003, but the technology remains available in current versions.
This is dangerous because with a username, password and corresponding email address, hackers have effectively completed a credential theft without any interaction from the end user. Many users use their email account as a single-sign on for other applications, putting numerous other services at risk.
CVE-2023-23397 is not yet fully documented however Microsoft believe the vulnerability occurs “when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat-actor controlled server. No interaction is required.” Once a connection is made, the server sends the user a new technology LAN manager (NTLM) negotiation message which is relayed for authentication – none of which requires the user to even view the email itself.
The exploit affects only the Microsoft Windows version of the Outlook Desktop client. Outlook for Mac, the Outlook Web & Mobile Apps (as well as Outlook.com) are not affected – since these do not support NTLM authentication. Estimates vary but Outlook is said to be used by over 400 million users worldwide, in its various forms.
System administrators are advised to urgently patch with the latest Outlook updates from Microsoft within 24 hours.
Where this is not possible, system administrators are advised to add users to the Protected Users Security Group (blocking NTLM), or Block TCP 445/SMB outbound from network firewalls or via VPN settings, cutting off any NTLM authentication messages at the perimeter of your network. In both cases, Microsoft warn this may affect other services from working correctly.
For Cyber Security expertise and support, please contact Lineal’s Cyber Security Team today.
Lineal’s IT Support Teams are rolling out an important security change to the way we secure your Microsoft 365 accounts – enabling Multi-Factor Authentication (MFA) for all users.
We’re taking this step in response to a marked increase in account-theft attempts that we’ve seen in recent months; where previously MFA was an optional extra for added security, we’re now strongly recommending this be enabled across the board.
Every person with a Microsoft 365, Exchange Online or Azure user account licensed with Lineal.
What are the advantages?
An extra ‘factor’ at login drastically helps improve the security of your user account – making it difficult for any attacker who manages to obtain your username & password from logging into Microsoft 365 using your identity.
We’ve encountered a noticeable increase in account-takeover attempts in recent months, with individuals’ work emails then being used for the onward spread of supply-chain attacks and phishing emails to others.
Multi-factor authentication is already standard practice across online-banking in the UK, and we believe it should be standardised for all identity-based online services.
How does it work?
In addition to your username and password, each user registers a third factor – typically either a mobile phone number (for SMS), smartphone authenticator app, USB security key or password manager – any of which generates a temporary code for login. This extra ‘factor’ verifies your identity – making it hard for a third party to log into your accounts, since they won’t have access to the temporary passcode.
For preference, we recommend free Authenticator-app based MFA via Microsoft Authenticator, Google Authenticator or similar apps for iOS/Android. These are generally considered to be a more secure method than single-use SMS (text-message) codes, which have their weaknesses, with Microsoft and others announcing this method will be phased out.
However, even SMS-based MFA will be more secure than a standalone password, so we’ll still implement this where necessary.
Does my organisation need to budget for this?
No – although paid options are available if you need your MFA backed by Conditional Access or other security settings.
What’s the timetable for this change?
We’re aiming to have this change fully deployed by 2022.
What do I need to do?
Nothing for now – a member of your Lineal IT Support team will be in touch to discuss implementing the change.
What if I experience issues getting started with MFA?
Please contact our IT Support Teams via [email protected], 01271375999 or via our Client Portal, and one of our team will be happy to assist.
Microsoft has announced that up to 92% of all stand-alone Exchange servers have been patched, following a mass data breach by Chinese state-sponsored Hafnium cybercrime group.
A mass attack on zero-day Exchange servers through four security vulnerabilities was identified and exploited by Hafnium in early March. Those with at risk servers, according to Microsoft VP Tom Burt, are recognised as 400,000 on-premise Exchange servers belonging to multiple government and corporate data centres including defence contractors, schools and other entities globally.
Consequently, the ProxyLogon security fixes released on 2nd March have mitigated this number significantly with 92% of Exchange servers now protected under the new patches. Nevertheless, Microsoft states that around 32,000 servers remained unpatched and vulnerable to Hafnium cybercrime including theft of confidential sensitive data together with installation of ransomware and ‘corrupted web shells’, such as China Chopper, allowing unrestricted external access to the unpatched Exchange servers.
These security fixes are in conjunction with Microsoft’s Exchange on-premises mitigation tool (EOMT) which installs defender scripts and dependency downloads whilst automatically running the Safety Scanner; troubleshooting any identified problems on the Exchange servers.
However, the patches do not protect servers that have already been compromised from further exploitation, therefore Microsoft has advised that organisations administrators scan their stand-alone networks for potentially installed malicious software and scripts in addition to the scans of EOMT.
The attacks themselves have raised questions over the security maintenance of in-house email servers and adds weight to the growing adoption of cloud-based internet email.
Microsoft have urged the system admins of on-premise Exchange email servers to upgrade in response to new breaches from state-sponsored hackers.
The Chinese group, known as ‘HAFNIUM’, are believed to have exploited previously undiscovered zero-day vulnerabilities in Microsoft Exchange Server 2013, 2016 and 2019 via compromised US-based servers. Microsoft Exchange Online or related services (such as Microsoft 365) are not affected.
CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 create a ‘perfect storm’ under which the attacker makes an untrusted connection to the targeted Exchange Server on port 443, and connects appearing to be someone with authorised access to add a web shell that grants a backdoor for future access.
HAFNIUM has previously been accused of industrial espionage and attempts to breach the technology of important private, public and national security organisations, including defence contractors.
As of 4th March, the Department of Homeland Security has also issued an emergency directive to all US federal agencies to urgently patch any on-premises Exchange servers by midday on 5th March.
For Cybersecurity advice and expertise, please contact our team today.
Microsoft have announced Reply All email storm protection for Exchange Online – designed to prevent crushing organisational reply all email chains.
By default, the feature will detect ten reply all emails to over 5,000 recipients within 60 minutes, (what IT admins jokingly call a ‘reply-allpocalypse’) and will block further sending to prevent the problem escalating.
A particular problem in large organisations, email storms begin when large numbers of recipients click ‘reply-all’ either to respond or ask to be removed from the chain – massively multiplying the overall number of emails passing through Exchange servers.
If you find yourself stuck in a big reply all email storm, the guidance is simple: Do nothing. Do not reply to the email. Replying only makes the problem worse for everyone in the email chain, including you.
Reply all email storms have plagued large organisations. The NHS was infamously struck by a server-crushing 500 million emails in less than two hours on 14th November 2016, after an IT contractor accidentally sent a test email to everyone with an NHSmail email address – approximately 840,000 people.
Microsoft itself became one of the first test cases during the “Bedlam DL3” incident of 1997, when a user emailed 13,000 company addresses. Other users unaware of how many replies they were sending asked to be removed, and by the time the storm had subsided a terrifying 15 million emails had been sent – far beyond the capacity of late-90s email servers.
Reply-all email storm protection is currently being rolled-out to Microsoft Exchange Online and packaged services including Microsoft 365.
For IT Support and expertise, please contact Lineal today.
iOS 11 users who updated their iPhones and iPads this week have been given a nasty shock, upon discovering Microsoft email services will no longer function correctly.
Apple are reported to be ‘working closely’ with Microsoft to resolve the issues – affecting compatibility with Microsoft Exchange 2016, Office 365 and Outlook.com – which display an error message informing users that their mail account “Cannot send mail. The message was rejected by the server.”
One week on from Apple’s flagship iPhone X launch, the problem leaves the tech giant with a public relations headache, as early adopters of the newest touchscreen operating system rush to complain online.
Rubbing salt in the wound, Microsoft also published an official support warning on Tuesday, rather mischievously entitled: “You can’t send or reply from Outlook.com, Office 365, or Exchange 2016 in iOS 11 Mail.app”. According to MacRumors, beta testers (including engineers at Lineal) were raising the Microsoft email service problem as early as July, although it appears to be unresolved by Apple’s developers.
Users urgently needing email are advised to download the Outlook for iOS app from the App Store as a lifesaving alternative, suffer a more Microsoft branded email experience, and await rescue from Apple bug fixers.
At Lineal we’ve found the most commented upon feature of Microsoft’s Office 365 email has been the reduction of spam – but why does running your email from the cloud make Outlook 2016 so much better at blocking these annoying spam emails?
On your old in-house email server, Outlook stops spam emails being delivered based on whatever policies and protection you’ve put there and maintained (or not…,) whilst Office 365 is managed all year round as a remote service, with up-to-the-hour security updates in Microsoft data centres. Moving your business email to the cloud ensures your inboxes are not just company compliant, but physically and virtually safer.
Firstly, Office 365 checks your email for known suspicious attachments or malicious links. If neither are found, your email is screened through three independent Anti-virus engines, before being delivered safely to your inbox.
But what if something suspicious is found? Malicious links are re-written where possible, and suspicious attachments are removed to a sandboxed (isolated in software) ‘detonation chamber’, where they are opened safely to check for harmful code. Any attachments still deemed to be dangerous are removed from the email before being processed further.
Due to sheer volume of email processed through Office 365, Microsoft are also able to use information about all threats seen worldwide, and protect your inbox from even brand new ‘zero-day’ dangers seen elsewhere online.
Office 365 business packages (which can be trialled for free via Lineal) have been made increasingly secure over the past year – with Microsoft opening new UK based data centres and introducing new admin centre for power users to manage system usage in large organisations more effectively. 97% of people can’t identify a phishing email, so it’s important to know that Office 365 will remain vigilant.
Lifecycle support for Microsoft’s Exchange Server 2007 email will end in April 2017, Microsoft has confirmed.
Existing email servers will continue to work past this date initially, but will receive no further patching without purchasing ‘custom support’ at an unknown extra cost. Each version of Exchange is predicted to last only around 10 years, with the 2016 edition lasting until 2025.
Exchange 2007 was included as part of Microsoft Small Business Server 2008 which went end of mainstream support last year. With the challenges of ensuring systems are secure, upgrading from SBS 2008 sooner rather than later will be the order of the day for many businesses.
Unfortunately, upgrading old copies of Exchange Server 2007 to Microsoft’s latest version of Exchange Server (2016) may be more challenging than many organisations will expect, as a direct migration is not available.
This forces users to stepping-stone via the 2010 or 2013 versions, a restriction that will be familiar to any business that has tried to upgrade a legacy Windows XP system to Windows 10, who must buy a redundant Windows 7 license just to make the transition.
Lineal can offer consultancy services for upgrade and migration planning in addition to being a certified Microsoft Partner. We specialise in Office 365 and hybrid deployments across the entire Microsoft product set.
Please get in touch to find out how easy and cost effective it can be to move your email to the cloud with Lineal.
Our website uses cookies to improve your browsing experience: you change your consent preferences here, however denying consent may adversely affect certain website functions. Privacy Policy.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
