IMPORTANT: Partner Service Announcement: Running a “Vulnerable” On-Premises Exchange? Fix it now or you will be forced to!!
March 23, 2023, Microsoft announced that it will be taking action to secure “persistently” vulnerable Exchange servers by first throttling and then blocking, emails sent to Exchange online.
What does this mean?
Importantly this will apply to on-premises exchange only, if you are using exchange online (EOL) with your customers, rest assured you are providing secure, patched exchange services. Mail may be rejected if it originates from an on-premises exchange that is determined to be vulnerable.
The enforcement system will eventually apply to all versions of Exchange Server and all email coming into Exchange Online, but Microsoft are starting with a very small subset of outdated servers: Exchange 2007 servers that connect to Exchange Online over an inbound connector type of OnPremises. Yes 2007! No one ever foresaw 16-year-old technology still being commonplace and used for such a business critical application, but then again look at how many customers have XP in their environments.
Why is Microsoft taking this action?
Microsoft is taking this action because of the urgent and increasing security risks to customers that choose to run unsupported or unpatched software. Over the last few years, Microsoft have seen a significant increase in the frequency of attacks against Exchange servers. Microsoft have (and will continue to do) everything they can to protect Exchange servers but unfortunately, there are a significant number of organizations that don’t install updates or are far behind on updates, and are therefore putting themselves, their data, as well as the organizations that receive email from them, at risk.
Microsoft can’t reach out directly to admins that run vulnerable Exchange servers, so are using activity from their servers to try to get their attention. The goal is to raise the security profile of the Exchange ecosystem.
Action required by partners.
Determine what Exchange server is running in your customer environments. Immediately patch if applicable. Have a discussion with your customer about migrating to Exchange online (EOL), this will be a big project in some cases as often we have built huge archives hanging off exchange. But it is better to start building a plan now as the cost of migration in a hurry is going to be considerable more. Talk to your Microsoft team at Dicker Data as we can assist with large complex migrations using SkyKick or BitTitan.
While this will initially only apply to 2007 Exchange the writing is on the wall for On-Premise exchange “Any Exchange server that has reached end of life (e.g., Exchange 2007, Exchange 2010, and soon, Exchange 2013), or remains unpatched for known vulnerabilities. For example, Exchange 2016 and Exchange 2019 servers that are significantly behind on security updates are considered persistently vulnerable.
For more information see https://aka.ms/BlockUnsafeExchange.
