Remediating Microsoft Exchange Vulnerabilities

Note: CISA will continue to update this web page as we have further guidance to impart.

• On March 2, 2021, Microsoft released out-of-band security updates to address vulnerabilities affecting Microsoft Exchange Server products.
• On March 3, 2021, after CISA and partners observed active exploitation of vulnerabilities, CISA issued Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities and Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities.
• On March 31, 2021, CISA issued ED 21-02 Supplemental Direction V1, which directs federal departments and agencies to run newly developed tools—Microsoft’s Test-ProxyLogon.ps1 script and Safety Scanner MSERT—to investigate whether their Microsoft Exchange Servers have been compromised.
• On April 13, 2021, CISA issued ED 21-02 Supplemental Direction V2, which directs federal departments and agencies to apply Microsoft's April 2021 Security Update that newly discloses and mitigates significant vulnerabilities affecting on-premises Exchange Server 2013, 2016, and 2019.

For Leaders:

An adversary can exploit this vulnerability to compromise your network and steal information, encrypt data for ransom, or even execute a destructive attack. Leaders at all organizations must immediately address this incident by asking their IT personnel:

• What steps your organization has taken;
• Whether your organization has the technical capability to follow the guidance provided below; and
• If your organization does not have the capability to follow the guidance below, whether third-party IT security support has been requested.

Leaders should request frequent updates from in-house or third-party IT personnel on progress in implementing the guidance below until completed.

For IT Security Staff:

As exploitation of these vulnerabilities is widespread and indiscriminate, CISA strongly advises all system owners complete the following steps:

1. If you have the capability, follow the guidance in CISA Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities to create a forensic image of your system.
2. (Updated March 31, 2021) Run the Microsoft Test-ProxyLogon.ps1 script to check for indicators of compromise (IOCs) related to this incident.
3. (Updated March 31, 2021) Run the Microsoft Exchange On-premises Mitigation Tool (EOMT.ps1).
   
   According to Microsoft, this tool:

   •    Mitigates against current known attacks using CVE-2021-26855 via a URL Rewrite configuration.
   
   •    Scans the Exchange Server using the Microsoft Safety Scanner.
   
   •    Attempt to remediate compromises detected by the Microsoft Safety Scanner.
   
   Note: CISA recommends reviewing the EOMT.ps1 blog post for directions on using the tool.

4. Immediately update all instances of on-premises Microsoft Exchange that you are hosting.
   • (Updated April 13, 2021) Apply Microsoft's April 2021 Security Update that newly discloses and mitigates significant vulnerabilities affecting on-premises Exchange Server 2013, 2016, and 2019.
5. If you are unable to immediately apply updates, follow Microsoft’s alternative mitigations in the interim. Note: these mitigations are not an adequate long-term replacement for applying updates; organizations should apply updates as soon as possible.
6. If you have been compromised, follow the guidance in CISA Alert AA21-062A. For additional incident response guidance, see CISA Alert AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity. Note: Responding to IOCs is essential to evict an adversary from your network and therefore needs to occur in conjunction with measures to secure the Microsoft Exchange environment.

Note: see the figure below for a summary of the observed malicious activity placed into the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 8. See the Joint FBI-CISA Cybersecurity Advisory AA21-069A: Compromise of Microsoft Exchange Server for additional details.

Figure 1: MITRE ATT&CK Enterprise Techniques Observed (Source: Joint FBI-CISA Cybersecurity Advisory AA21-069A: Compromise of Microsoft Exchange Server)

Additional Resources:

• (Added April 13, 2021) Supplemental Direction V2 to Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities
• (Added April 13, 2021) Microsoft's April 2021 Security Update
• (Added March 31, 2021) Supplemental Direction V1 to Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities
• Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities
• CISA Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities
• Microsoft IOC Detection Tool for Exchange Server Vulnerabilities
• (Added March 15, 2021) Microsoft EOMT.ps1 tool (can automate portions of both the detection and patching process)
• (Added March 12, 2021) Check my OWA tool for checking if a system has been affected. Disclaimer: this tool does not check against an exhaustive list of compromised domains. It is meant for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information and cannot assure its accuracy or completeness; therefore, entities should not rely solely on this information to justify foregoing CISA’s recommendations for action described on this webpage.
• (Released March 10, 2021) Joint FBI-CISA Cybersecurity Advisory AA21-069A: Compromise of Microsoft Exchange Server
• (Updated) Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability
• CISA Alert AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity
• (Updated) Microsoft Advisory: Multiple Security Updates Released for Exchange Server
• Microsoft Security Blog: Hafnium targeting Exchange Servers
• Volexity Blog: Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities
• Microsoft Security Response Center Blog: Microsoft Exchange Server Vulnerabilities Mitigations
• CISA and Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide