IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

State-sponsored hackers delay new Microsoft Exchange Server by four years

Hafnium's devastating zero-day exploit chain in 2021 forced Microsoft to improve the security of current versions instead of releasing the new one on schedule

State-sponsored cyber attacks on Microsoft Exchange servers throughout 2021 are the reason why the latest version of the on-prem mail and calendaring server will be delayed by four years, Microsoft said.

A new version of Microsoft Exchange Server was originally on course for an H2 2021 release but Microsoft has updated its roadmap delaying the release to H2 2025 due to the time it took developers to improve security in the wake of the Hafnium attacks.

Hafnium is a state-sponsored hacking group Microsoft has previously said is linked to China. In 2021, Hafnium attacked Microsoft Exchange servers consistently using a flurry of zero-day vulnerabilities to exfiltrate information from victims across various business verticals.

In addition to an extra four-year wait for the next version, IT admins can expect to hear more about the new features, pricing, requirements, and naming of the updated version in the first half of 2024.

Microsoft also said the latest version will require Server licenses and Client Access Licenses (CALs) and will only be accessible to customers with Software Assurance - a service pack that automatically provides customers with licenses to the latest versions of software. 

The current support dates for Exchange Server 2013 (11 April 2023), Exchange Server 2016 (14 October 2025), and Exchange Server 2019 (14 October 2025) are unchanged. 

The next version of Exchange Server will move to Microsoft’s Modern Lifecycle Policy which does not set end-of-life (EOL) dates for products or services but continues to offer support as long as there is demand for it in the market.

Customers running Exchange Server 2019 may have an easier time upgrading to the new version when the time comes, Microsoft hinted.

After resolving previously known upgrading issues relating to hardware requirements and mailbox migration, Microsoft is introducing an in-place upgrade capability to Exchange Server 2019 and recommends all customers upgrade to the version “as soon as possible”.

Hafnium’s server siege

Last year, the Chinese-linked state-sponsored hacking group exploited a chain of zero-day vulnerabilities in Microsoft Exchange, leading to hacks on hundreds of thousands of businesses

Microsoft said at the time that the group was known for harvesting data from various types of organisations including those in the medical, education, military, NGO, and policy sectors.

Related Resource

The state of brand protection 2021

A new front opens up in the war for brand safety

A log-in screen with a red background - whitepaper from MimecastFree download

Based in China but operating from US-based virtual private servers (VPS), Hafnium gained access to Exchange Servers, installed a web shell for remote control, and stole data.

The White House was especially concerned about the threat to national security and urged all businesses to patch their Exchange servers to the latest version as a matter of priority, at the time.

More than a month after the exploits became public knowledge, US government agencies were still finding unpatched Exchange Server vulnerabilities in their systems.

Experts said that if organisations hadn’t patched on the day of release, there was a strong chance that the environment was already compromised, and the web shell had already been planted.

It was later revealed that Microsoft first became aware of the zero-day exploits in January 2021, two months before Hafnium’s activity ramping up in March.

Hafnium’s exploit chain was ultimately used in separate attacks throughout the year, namely by the Qakbot and SquirrelWaffle malspam campaigns spreading via unpatched servers in October 2021.

Microsoft’s work so far

The delay to the latest version of Microsoft Exchange Server came as a result of Microsoft's security experts being forced to work throughout 2021 to combat the heavy attacks from the exploits used by Hafnium. 

It said that work on the new release was stalled as the team was busy pushing out-of-band security updates, a one-click mitigation tool - which was later integrated as a core feature of Exchange Server and integrating other services to improve the security of the service for IT admins.

It also launched a bug bounty programme for Exchange Server and Office Server under the Microsoft Applications and On-Premises Servers Bounty Program to improve the company’s collaboration with the private sector and independent security researchers and ultimately improve the security of Exchange Server.

Featured Resources

The 3D skills report

Add 3D skills to your creative toolkits and play a sizeable role in the digital future

Free Download

The increasing need for environmental intelligence solutions

How sustainability has become a major business priority and is continuing to grow in importance

Free Download

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

Solve global challenges with machine learning

Tackling our word's hardest problems with ML

Free Download

Recommended

Microsoft Azure spending notifications unavailable until March
Cloud

Microsoft Azure spending notifications unavailable until March

2 Feb 2023
Hackers target business cloud environments by abusing Microsoft’s ‘verified publisher’ status
Security

Hackers target business cloud environments by abusing Microsoft’s ‘verified publisher’ status

1 Feb 2023
Google to cut global workforce by 12,000 roles
Careers & training

Google to cut global workforce by 12,000 roles

20 Jan 2023
Windows 11 System Restore bug preventing users from accessing apps
Microsoft Windows

Windows 11 System Restore bug preventing users from accessing apps

19 Jan 2023

Most Popular

Yandex data breach reveals source code littered with racist language
data breaches

Yandex data breach reveals source code littered with racist language

30 Jan 2023
European partners expect growth this year, here are three ways they will achieve it
Sponsored

European partners expect growth this year, here are three ways they will achieve it

17 Jan 2023
Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023