IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

State-sponsored hackers delay new Microsoft Exchange Server by four years

Hafnium's devastating zero-day exploit chain in 2021 forced Microsoft to improve the security of current versions instead of releasing the new one on schedule

State-sponsored cyber attacks on Microsoft Exchange servers throughout 2021 are the reason why the latest version of the on-prem mail and calendaring server will be delayed by four years, Microsoft said.

A new version of Microsoft Exchange Server was originally on course for an H2 2021 release but Microsoft has updated its roadmap delaying the release to H2 2025 due to the time it took developers to improve security in the wake of the Hafnium attacks.

Hafnium is a state-sponsored hacking group Microsoft has previously said is linked to China. In 2021, Hafnium attacked Microsoft Exchange servers consistently using a flurry of zero-day vulnerabilities to exfiltrate information from victims across various business verticals.

In addition to an extra four-year wait for the next version, IT admins can expect to hear more about the new features, pricing, requirements, and naming of the updated version in the first half of 2024.

Microsoft also said the latest version will require Server licenses and Client Access Licenses (CALs) and will only be accessible to customers with Software Assurance - a service pack that automatically provides customers with licenses to the latest versions of software. 

The current support dates for Exchange Server 2013 (11 April 2023), Exchange Server 2016 (14 October 2025), and Exchange Server 2019 (14 October 2025) are unchanged. 

The next version of Exchange Server will move to Microsoft’s Modern Lifecycle Policy which does not set end-of-life (EOL) dates for products or services but continues to offer support as long as there is demand for it in the market.

Customers running Exchange Server 2019 may have an easier time upgrading to the new version when the time comes, Microsoft hinted.

After resolving previously known upgrading issues relating to hardware requirements and mailbox migration, Microsoft is introducing an in-place upgrade capability to Exchange Server 2019 and recommends all customers upgrade to the version “as soon as possible”.

Hafnium’s server siege

Last year, the Chinese-linked state-sponsored hacking group exploited a chain of zero-day vulnerabilities in Microsoft Exchange, leading to hacks on hundreds of thousands of businesses

Microsoft said at the time that the group was known for harvesting data from various types of organisations including those in the medical, education, military, NGO, and policy sectors.

Related Resource

The state of brand protection 2021

A new front opens up in the war for brand safety

A log-in screen with a red background - whitepaper from MimecastFree download

Based in China but operating from US-based virtual private servers (VPS), Hafnium gained access to Exchange Servers, installed a web shell for remote control, and stole data.

The White House was especially concerned about the threat to national security and urged all businesses to patch their Exchange servers to the latest version as a matter of priority, at the time.

More than a month after the exploits became public knowledge, US government agencies were still finding unpatched Exchange Server vulnerabilities in their systems.

Experts said that if organisations hadn’t patched on the day of release, there was a strong chance that the environment was already compromised, and the web shell had already been planted.

It was later revealed that Microsoft first became aware of the zero-day exploits in January 2021, two months before Hafnium’s activity ramping up in March.

Hafnium’s exploit chain was ultimately used in separate attacks throughout the year, namely by the Qakbot and SquirrelWaffle malspam campaigns spreading via unpatched servers in October 2021.

Microsoft’s work so far

The delay to the latest version of Microsoft Exchange Server came as a result of Microsoft's security experts being forced to work throughout 2021 to combat the heavy attacks from the exploits used by Hafnium. 

It said that work on the new release was stalled as the team was busy pushing out-of-band security updates, a one-click mitigation tool - which was later integrated as a core feature of Exchange Server and integrating other services to improve the security of the service for IT admins.

It also launched a bug bounty programme for Exchange Server and Office Server under the Microsoft Applications and On-Premises Servers Bounty Program to improve the company’s collaboration with the private sector and independent security researchers and ultimately improve the security of Exchange Server.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads
Microsoft Windows

Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads

20 Jun 2022
IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated
Business strategy

IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated

17 Jun 2022
Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive
ransomware

Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive

17 Jun 2022
Microsoft silent patches called “a grossly irresponsible policy”
cyber security

Microsoft silent patches called “a grossly irresponsible policy”

15 Jun 2022

Most Popular

The UK's best cities for tech workers in 2022
Business strategy

The UK's best cities for tech workers in 2022

24 Jun 2022
LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022