Microsoft set to block emails from unsupported Exchange servers

Server racks in a server centre
(Image credit: Getty Images)

Microsoft is readying a new feature for Exchange Online that will report, throttle, and block emails from unsecured on-prem Exchange servers.

Admins will be sent alerts if their on-prem exchange servers are deemed to be unsupported or are unpatched from security threats, complete with a reminder to update their infrastructure.

It marks a step towards reducing the risk of malicious emails reaching organisations, but also to encourage customers with unsupported or unpatched Exchange servers to secure their on-prem environments.

“We’ve said many times that it is critical for customers to protect their Exchange servers by staying current with updates and by taking other actions to further strengthen the security of their environment,” said Microsoft.

“Many customers have taken action to protect their environment, but there are still many Exchange servers that are out of support or significantly behind on updates.”

Exchange Online is set to receive a new mail flow report in the Exchange admin centre. This will provide admins with information about unsupported or expired Exchange servers in their environment.

The report will inform admins of any messages that are throttled or blocked, and what will happen if the server isn’t updated or taken out of service.

If the server’s issues haven’t been addressed then Exchange Online will throttle messages from it. The throttling will increase progressively over time and is designed to raise awareness of the issue with admins to try and get them to fix the server. If the issue isn’t addressed within 30 days, then emails will begin to be blocked.

Microsoft is adopting what it calls a “progressive” enforcement approach, where throttling will slowly increase over time, followed by gradual blocking, and then resulting in blocking all non-compliant traffic. The actions will escalate until the server is removed from service or updated.

The company said that the new system is set to be applied to all Exchange Server versions and all emails coming into Exchange Online. However, for now, the tech giant is starting with Exchange 2007 servers.

RELATED RESOURCE

Medium businesses: Fuelling the UK’s economic engine

A Connected Thinking report

FREE DOWNLOAD

“We have specifically chosen to start with Exchange 2007 because it is the oldest version of Exchange from which you can migrate in a hybrid configuration to Exchange Online, and because these servers are managed by customers we can identify and with whom we have an existing relationship,” Microsoft explained.

The new system will then be incrementally introduced into other Exchange Server versions, until all versions are included.

Microsoft is aiming to address the problem of emails sent to Exchange Online from unsupported and unpatched Exchange servers. It said these servers present a security risk as once they are no longer supported, they don’t receive security updates.

“Once a security update is released, malicious actors will reverse-engineer the update to get a better understanding of how to exploit the vulnerability on unpatched servers,” said the tech giant.

The company said that emails messages coming from servers that are unsupported or unpatched are “persistently vulnerable” and can’t be trusted. This means these servers can increase the risk of an organisation experiencing attacks like malware, security breaches, or hacking.

Rampant Exchange Server issues

Microsoft Exchange Servers have been repeatedly abused by malicious actors over the years.

In November 2021, compromised servers were used to spread a SquirrelWaffle malspam campaign after targeting unpatched instances. The malspam hijacked inboxes and set malicious emails responding to existing email chains.

Following other exploration attempts of Exchange Server earlier that year, Microsoft was forced to delay the technology's development roadmap.

The company admitted in June 2022 that it needed more time to strengthen its security following China-linked Hafnium attacks.

This was followed in December 2022 by a researcher who said that a ransomware attack on Rackspace may have been down to an attacker taking advantage of an out-of-date Exchange cluster.

Security researcher Kevin Beaumont suggested that the attackers exploited the server clusters which hadn’t been patched since August 2022, before the ProxyNotShell patches had been released.

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.