Microsoft is hoping to address the security issue of emails sent to Exchange online from unsupported and unpatched Exchange Servers by enabling a transport-based enforcement system in Exchange Online that will throttle and then block emails from an unsupported server.
The end goal is to encourage Microsoft customers to stop using persistently vulnerable versions of Exchange, which are a favorite target of hackers, including from Hafnium, a state-sponsored hacking group out of China that has leveraged Exchange vulnerabilities in the past.
According to Microsoft, admins will also see alerts about unsupported or unpatched Exchange servers in their on-premises environment that need to be upgraded or patched. However, if a server remains out of date and unpatched, mail from that server will be throttled and eventually blocked, the company says in a Tech Community blog.
“We don’t want to delay or block legitimate email, but we do want to reduce the risk of malicious email entering Exchange Online by putting in place safeguards and standards for email entering our cloud service,” Microsoft says in the blog. “We also want to get the attention of customers who have unsupported or unpatched Exchange servers and encourage them to secure their on-premises environments.”
In addition to the existing Exchange Server health Check tool, Microsoft is adding a new mail flow report to the Exchange admin center in exchange Online that provides details to a tenant admin about unsupported or out-of-date Exchange servers in their environment that connect to Exchange Online to send mail.
The new report will also provide details on any throttling or blocking of messages, along with information about what happens next if the server isn’t made current.
If servers aren’t remediated after a period of time, Exchange Online will begin to throttle messages from it, issuing a retriable SMTP 450 error to the sending sever, which will cause the sending server to queue and retry the message later, resulting in a delayed delivery.
The error messages will read, “450 4.7.230 Connecting Exchange server version is out-of-date; connection to Exchange Online throttled for 5 mins/hr. For more information see https://aka.ms/BlockUnsafeExchange.”
Throttling durations will increase progressively over time to encourage admins to remediate the server. However, if the server isn’t upgraded or patched within 30 days after throttling begins, emails will be blocked.
In the blocking scenario, Exchange Online will issue a permanent SMTP 550 error to the sender, triggering a non-delivery report. In this case, a sender will need to re-send the message, the company says.
That error will read, “550 5.7.230 Connecting Exchange server version is out-of-date; connection to Exchange Online blocked for 10 mins/hr. For more information see https://aka.ms/BlockUnsafeExchange.”
When will this enforcement action begin?
According to Microsoft, the report will release in private preview this month, and the first affected customers will see the generally available version of the report beginning May 23. Throttling for that first wave will begin in June, and blocking will begin in July.
These steps will be taken progressively for 90 days from initial detection of the unsupported server to 100% blocking, Microsoft says.
However, admins can pause throttling and blocking for up to 90 days per year in the Exchange admin center. Doing so puts the sever in report-only mode for the duration specified. Admins can use those 90 days however they want throughout the year, and don’t have to use the entire 90 days consecutively.
Begins with Exchange 2007
The throttling and blocking of old Exchange Servers will eventually apply to all versions and all email coming into Exchange Online, but Microsoft will start with Exchange 2007 servers that connect to Exchange Online over an inbound connector type of OnPremises. This is the oldest version of Exchange from which you can migrate in a hybrid configuration to Exchange Online, Microsoft says.
The company will then incrementally bring Exchange Sever versions into the enforcement scope until all versions are included, regardless of how they send mail to Exchange Online.
In the Tech Community blog, commenters opined about the reasons behind the move, with some speculating that Microsoft is essentially forcing organizations to migrate to the cloud or pay to continue using Exchange.
However, Chris Goettl, vice president of product management for security products at Ivanti, says this move is another that Microsoft is taking to prevent the malicious use of its solutions. Similar to how the company began blocking macros in Office documents by default, these moves are intended to close security loopholes.
According to Goettl, security researchers have essentially concluded that on-premises Exchange architectures are fundamentally overprivileged and are a security liability.
“There is clear evidence that exchange on prem is not being well maintained by the companies that are still running it,” Goettle says. When there are thousands of Exchange servers that get exploited within a matter of days when a new exploit comes out, there’s kind of a systemic issue.”
Exchange vulnerabilities are typically among the most commonly exploited security bugs. In fact, two recent research reports from Tenable and Rezilion concluded that Exchange zero days such as ProxyShell and ProxyLogon are still among the most exploited vulnerabilities.
It can sometimes take admins several weeks to patch vulnerabilities like those, but the throttling and blocking action Microsoft is taking is aimed at old, vulnerable Exchange infrastructure.
“So they’re not saying you have to stop using on-prem Exchange and start paying for their online services,” Goettl says. “What they are saying, is if you don’t keep it up to date, they reserve the right to throttle then block you if you’re not keeping the ecosystem secure.”
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!