Microsoft has released Exchange On-Premises Mitigation Tool (EOMT), which quickly performs the initial steps for mitigating the ProxyLogon flaw (CVE-2021-26855) on any Exchange server and attempts to remediate found compromises.
“This tool is not a replacement for the Exchange security update but is the fastest and easiest way to mitigate the highest risks to internet-connected, on-premises Exchange Servers prior to patching,” Microsoft explained.
About Microsoft Exchange On-Premises Mitigation Tool
EOMT is a PowerShell script that must be run as Administrator on on-premises Exchange servers, and it does the following:
- Mitigates against current known attacks using CVE-2021-26855 via a URL Rewrite configuration
- Downloads Microsoft Safety Scanner, a tool designed to find and remove malware from Windows computers, and uses it to scan the underlying Exchange Server for malicious artifacts and changes
- Attempt to reverse discovered changes make by known threats
“The Exchange On-premises Mitigation Tool is effective against the attacks we have seen so far, but is not guaranteed to mitigate all possible future attack techniques,” Microsoft made sure to note, and pointed out that Exchange servers should be fully updated as quickly as possible after using it.
EOMT mitigates only the ProxyLogon flaw (CVE-2021-26855) but not the other three vulnerabilities (CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065) exploited in the escalating attacks on Exchange servers.
The four vulnerabilities are being exploited as part of an attack chain, but it’s through CVE-2021-26855 that the attackers are able to make an untrusted connection to target Exchange servers.
“Other portions of the attack can be triggered if the attacker already has access or gets access through other means,” Microsoft explained, and this is why patching is the only way to mitigate the threat completely.
Microsoft recommends this script over the previously released ExchangeMitigations.ps1 script, as it tuned based on the latest threat intelligence. Also, the ExchangeMitigations.ps1 script does not scan for existing compromise or exploitation (though it mitigates all of the four vulnerabilities used in the attacks),
It must also be pointed out that EOMT runs the Microsoft Safety Scanner in a quick scan mode. “If you suspect any compromise, we highly recommend you run it in the FULL SCAN mode. FULL SCAN mode can take a long time but if you are not running Microsoft Defender AV as your default AV, FULL SCAN will be required to remediate threats,” Microsoft advised.