Microsoft email zero day

Topic

New Reply

What is it?  Microsoft is investigating targeted attacks on their on premises Email servers.  Attackers have found a way into servers that are already
[See the full post at: Microsoft email zero day]

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Replies

I use Outlook.com and have noticed an increase in phishing mail lately.  I don’t use Outlook.com as my primary e-mail service.  The phishing e-mails are sometimes amusing. I find that they repeat the same message again and again.  Most use gmail.com.

Mark

 

Reply | Quote

Susan Bradley wrote:

Is this disturbing that EVERY time there is a zero day in Microsoft on premises email servers, Microsoft can conveniently scramble and get their online servers patched and meanwhile those that purchase on premises software are stuck holding the bag.

Would it be less disturbing if Microsoft didn’t patch their own servers immediately (while asking everyone else to do so)?

Reply | Quote

It’s disturbing that they can patch but yet can’t build a patch for external users.  Because clearly they are patching themselves quite quickly.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Or perhaps they’ve deployed the mitigations available to everyone?

Reply | Quote

Then they can be a bit more proactive and include these mitigations in the tool that they supposedly wrote to help protect for these zero days.  Currently it doesn’t help to protect servers for this issue.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

fk5353, Alex5723

Reply | Quote

Susan Bradley wrote:

include these mitigations in the tool that they supposedly wrote to help protect for these zero days

Good news. They have as of October first. Those who have installed Exchange Server Emergency Mitigation and enabled it, the fix is applied automatically. Won’t hurt to check if it actually did, see the topic Controlling automatic mitigation in your environment

As you say; it does make you wonder how MS patches it’s own Exchange servers; assuming they run Exchange for their MS 365 solutions.

1 user thanked author for this post.

b

Reply | Quote

September 30, 2022 updates:

Added link to Microsoft Security blog in Summary.

Microsoft released the Exchange Server Emergency Mitigation Service (EMS) mitigation for this issue.

Microsoft created a script for the URL Rewrite mitigation steps and modified step 6 in the Mitigations section.

Mitigations
…
Option 1: For customers who have the Exchange Server Emergency Mitigation Service (EMS) enabled, Microsoft released the URL Rewrite mitigation for Exchange Server 2016 and Exchange Server 2019. The mitigation will be enabled automatically. Please see this blog post for more information on this service and how to check active mitigations.

Option 2: Microsoft created the following script for the URL Rewrite mitigation steps. https://aka.ms/EOMTv2

Option 3: Customers can follow the below instructions, which are currently being discussed publicly and are successful in breaking current attack chains.
…
Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server

Reply | Quote

It’s forked from the premises based Exchange.  Not quite the same code.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Kevin Beaumont on Twitter: “Nope. Exchange 2010 isn’t vuln to ProxyLogon, ProxyShell or ProxyNotShell as the Exchange Online integration isn’t there, basically.” / Twitter

Exchange 2010 is not vulnerable.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Seems poor configuration was part of the problem.. (or is this another “incident”? This is October 4th..)

https://www.bleepingcomputer.com/news/security/microsoft-data-breach-exposes-customers-contact-info-emails/

https://twitter.com/KiPos_info/status/1577745070941503488

Should anyone be able to make use of this..

 

 

Reply | Quote

Totally different issue.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote