CISA and partners take action as Microsoft Exchange security risks mount

In partnership with international cybersecurity agencies, the US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) outlined security best practices for organizations that use on-premises versions of Microsoft Exchange Server.

Microsoft Exchange servers are regularly targeted by threat actors, and Microsoft’s release of the final security updates for Exchange Server 2016 and 2019 earlier this month means many organizations will remain vulnerable unless they take steps to mitigate risks.

“By restricting administrative access, implementing multifactor authentication, enforcing strict transport security configurations, and adopting zero trust (ZT) security model principles, organizations can significantly bolster their defenses against potential cyberattacks,” CISA noted.

The end of perpetual Exchange Server licenses, but not of on-prem Exchange

Earlier this week, Germany’s Federal Office for Information Security (BSI) warned that 92% of the approximately 33,000 on-premises Exchange servers in Germany are still running Outlook Web Access 2019 or earlier.

These systems belong to thousands of companies, but also to “a large number of hospitals and medical practices, schools and universities, social services, law and tax firms, municipal utilities and local administrations.”

CISA and its international partners are advising organizations that are running an unsupported version of Exchange to migrate to Exchange Server Subscription Edition (SE), which is currently the only supported on-prem version of Exchange, or to an alternative supported email server software or service.

(Microsoft is also offering extended security updates for Exchange 2016 and 2019 to help customers complete their migrations, but these updates will only address critical or important vulnerabilities, and the program will end on April 14, 2026.)

For those who will continue to run an unsupported version of Exchange Server for a while yet, CISA advises taking the following steps to minimize exposure:

• Keep Exchange Server instances off the public internet.
• Isolate them within a dedicated network segment.
• If needed for external communication, route traffic to them through a separate, supported email security gateway.

Move to the cloud?

The document outlines security best practices but is not a comprehensive hardening guide, CISA notes, urging organizations to actively monitor for compromises and plan for incidents and recovery.

Nick Andersen, Executive Assistant Director for the Cybersecurity Division (CSD) at CISA, also stated that “CISA recommends that organizations evaluate the use of cloud-based email services instead of managing the complexities associated with hosting their own communication services.”

AJ Grotto, a research scholar at the Center for International Security and Cooperation at Stanford University and former Senior White House Director for Cyber Policy, pointed out that governments do not normally step in to provide detailed guidance on behalf of private companies on how to safely operate their products.

“The fact that a multilateral coalition of security and intelligence agencies felt obligated to produce something like this is a devastating commentary on Microsoft’s security posture,” he commented.

“Microsoft gets away with its negligence because they have customers locked into their ecosystem, which gives Microsoft leverage to pass risk and expense along to their customers. It’s not a good look for [the company].”

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!