State-sponsored hackers delay new Microsoft Exchange Server by four years

Laptop computer displaying logo of Microsoft Exchange
(Image credit: Shutterstock)

State-sponsored cyber attacks on Microsoft Exchange servers throughout 2021 are the reason why the latest version of the on-prem mail and calendaring server will be delayed by four years, Microsoft said.

A new version of Microsoft Exchange Server was originally on course for an H2 2021 release but Microsoft has updated its roadmap delaying the release to H2 2025 due to the time it took developers to improve security in the wake of the Hafnium attacks.

Hafnium is a state-sponsored hacking group Microsoft has previously said is linked to China. In 2021, Hafnium attacked Microsoft Exchange servers consistently using a flurry of zero-day vulnerabilities to exfiltrate information from victims across various business verticals.

In addition to an extra four-year wait for the next version, IT admins can expect to hear more about the new features, pricing, requirements, and naming of the updated version in the first half of 2024.

Microsoft also said the latest version will require Server licenses and Client Access Licenses (CALs) and will only be accessible to customers with Software Assurance - a service pack that automatically provides customers with licenses to the latest versions of software.

The current support dates for Exchange Server 2013 (11 April 2023), Exchange Server 2016 (14 October 2025), and Exchange Server 2019 (14 October 2025) are unchanged.

The next version of Exchange Server will move to Microsoft’s Modern Lifecycle Policy which does not set end-of-life (EOL) dates for products or services but continues to offer support as long as there is demand for it in the market.

Customers running Exchange Server 2019 may have an easier time upgrading to the new version when the time comes, Microsoft hinted.

After resolving previously known upgrading issues relating to hardware requirements and mailbox migration, Microsoft is introducing an in-place upgrade capability to Exchange Server 2019 and recommends all customers upgrade to the version “as soon as possible”.

Hafnium’s server siege

Last year, the Chinese-linked state-sponsored hacking group exploited a chain of zero-day vulnerabilities in Microsoft Exchange, leading to hacks on hundreds of thousands of businesses.

Microsoft said at the time that the group was known for harvesting data from various types of organisations including those in the medical, education, military, NGO, and policy sectors.


The state of brand protection 2021

A new front opens up in the war for brand safety


Based in China but operating from US-based virtual private servers (VPS), Hafnium gained access to Exchange Servers, installed a web shell for remote control, and stole data.

The White House was especially concerned about the threat to national security and urged all businesses to patch their Exchange servers to the latest version as a matter of priority, at the time.

More than a month after the exploits became public knowledge, US government agencies were still finding unpatched Exchange Server vulnerabilities in their systems.

Experts said that if organisations hadn’t patched on the day of release, there was a strong chance that the environment was already compromised, and the web shell had already been planted.

It was later revealed that Microsoft first became aware of the zero-day exploits in January 2021, two months before Hafnium’s activity ramping up in March.

Hafnium’s exploit chain was ultimately used in separate attacks throughout the year, namely by the Qakbot and SquirrelWaffle malspam campaigns spreading via unpatched servers in October 2021.

Microsoft’s work so far

The delay to the latest version of Microsoft Exchange Server came as a result of Microsoft's security experts being forced to work throughout 2021 to combat the heavy attacks from the exploits used by Hafnium.

It said that work on the new release was stalled as the team was busy pushing out-of-band security updates, a one-click mitigation tool - which was later integrated as a core feature of Exchange Server and integrating other services to improve the security of the service for IT admins.

It also launched a bug bounty programme for Exchange Server and Office Server under the Microsoft Applications and On-Premises Servers Bounty Program to improve the company’s collaboration with the private sector and independent security researchers and ultimately improve the security of Exchange Server.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.