Microsoft have announced plans to throttle, and eventually block, emails sent from on-premises and hybrid Microsoft Exchange Servers that remain unpatched.

“Persistently vulnerable” servers will receive incrementally stricter controls, beginning with throttling (delayed delivery) up to and including a complete block beyond 90-days, preventing onward delivery to other Microsoft-based email accounts such as those in Microsoft 365/Exchange Online and Outlook.com.

The dramatic move puts yet another large question mark over organisations relying on on-premises Exchange server hardware. While Exchange 2003, 2007, and 2010 are now rare, Exchange 2016 still remains in surprisingly widespread use, and many copies of Exchange 2019 are not regularly patched against known vulnerabilities.

Extra controls will apply to servers that run on outdated or unsupported software or haven’t been patched against known security bugs – to help Exchange admins identify unpatched or unsupported on-premises Exchange servers, and allowing them a chance to upgrade or patch before they become security risks.

Recent times have seen a string of major vulnerabilities against Exchange server – including by the Chinese hacking group Hafnium.

Even in 2023, A simple Shodan search still shows thousands of Internet-exposed Exchange servers, with many still waiting to be secured against attacks targeting them with ProxyLogon and ProxyShell exploits, two of the most exploited vulnerabilities from 2021.

For cyber security advice and expertise, please contact our team today.

Microsoft has announced that up to 92% of all stand-alone Exchange servers have been patched, following a mass data breach by Chinese state-sponsored Hafnium cybercrime group.

A mass attack on zero-day Exchange servers through four security vulnerabilities was identified and exploited by Hafnium in early March. Those with at risk servers, according to Microsoft VP Tom Burt, are recognised as 400,000 on-premise Exchange servers belonging to multiple government and corporate data centres including defence contractors, schools and other entities globally.

Consequently, the ProxyLogon security fixes released on 2^nd March have mitigated this number significantly with 92% of Exchange servers now protected under the new patches. Nevertheless, Microsoft states that around 32,000 servers remained unpatched and vulnerable to Hafnium cybercrime including theft of confidential sensitive data together with installation of ransomware and ‘corrupted web shells’, such as China Chopper, allowing unrestricted external access to the unpatched Exchange servers.

These security fixes are in conjunction with Microsoft’s Exchange on-premises mitigation tool (EOMT) which installs defender scripts and dependency downloads whilst automatically running the Safety Scanner; troubleshooting any identified problems on the Exchange servers.

However, the patches do not protect servers that have already been compromised from further exploitation, therefore Microsoft has advised that organisations administrators scan their stand-alone networks for potentially installed malicious software and scripts in addition to the scans of EOMT.

The attacks themselves have raised questions over the security maintenance of in-house email servers and adds weight to the growing adoption of cloud-based internet email.

iOS 11 users who updated their iPhones and iPads this week have been given a nasty shock, upon discovering Microsoft email services will no longer function correctly.

Apple are reported to be ‘working closely’ with Microsoft to resolve the issues – affecting compatibility with Microsoft Exchange 2016, Office 365 and Outlook.com – which display an error message informing users that their mail account “Cannot send mail. The message was rejected by the server.”

One week on from Apple’s flagship iPhone X launch, the problem leaves the tech giant with a public relations headache, as early adopters of the newest touchscreen operating system rush to complain online.

Until this recent development, Office 365 had proved hugely popular with iPhone and Mac users – allowing them to plug Microsoft cloud infrastructure, for dull company email and calendars behind the scenes, into their favoured Apple devices and applications for a a more enjoyable user experience.

Rubbing salt in the wound, Microsoft also published an official support warning on Tuesday, rather mischievously entitled: “You can’t send or reply from Outlook.com, Office 365, or Exchange 2016 in iOS 11 Mail.app”. According to MacRumors, beta testers (including engineers at Lineal) were raising the Microsoft email service problem as early as July, although it appears to be unresolved by Apple’s developers.

Users urgently needing email are advised to download the Outlook for iOS app from the App Store as a lifesaving alternative, suffer a more Microsoft branded email experience, and await rescue from Apple bug fixers.