Microsoft has added a new feature to Exchange Server that automatically applies temporary mitigations for high-risk security vulnerabilities (and may be actively exploited) to protect on-premises servers from incoming attacks and gives administrators more time to apply security updates.
This update comes after multiple Microsoft Exchange zero-day vulnerabilities exploited by state-funded hacking groups with financial incentives to compromise servers whose administrators did not have a patch or mitigation.
Automatic protection for vulnerable Exchange servers
The new Exchange Server component, aptly named Microsoft Exchange Emergency Mitigation (EM), is based on Microsoft's Exchange On-Interior Mitigation Tool (EOMT) released in March to help customers minimize the "attack surface" that exposed by errors of ProxyLogon.
EM runs as a Windows service on Exchange Mailbox servers and will be automatically installed on mailbox servers after the development of CU September 2021 (or later) on Exchange Server 2016 or Exchange Server 2019.
It works by detecting Exchange Servers vulnerable to one or more known threats and applies temporary mitigations until a security update to be installed by administrators.
Mitigations that are automatically applied through the IM service are temporary fixes until the Security Update can be installed which fixes the vulnerability and does not replace Exchange SUs.
Optional function that can be deactivated
EM is an EOMT version that is integrated with Exchange Server and works with the Office-based Office Config Service (OCS) to download and protect against high-risk errors with known mitigations.
Administrators can disable the IM service if they do not want Microsoft to automatically apply mitigations to Exchange servers.
They can also control implemented mitigations using cmdlets and scripts PowerShell, which allow the display, re-application, blocking or removal of mitigations.
Source of information: bleepingcomputer.com