Exchange Online blocks mail from on-premises Exchange servers with vulnerabilities

[English]Microsoft has just unveiled a new security policy for Exchange Online that can block the acceptance of email from insecure on-premises Exchange servers (in hybrid environments). The administrators in question will receive a notification that the on-premises Exchange server is vulnerable. If there is no response within 90 days, Exchange Online refuses to accept further e-mails. In the future, this will primarily eliminate systems with on-premises Exchange Server 2007, 2010 and, from April 2023, 2013 that have fallen out of support.


I just came across this topic from my colleagues at Bleeping Computer, which the Exchange Online team just published in the Techcommunity post Throttling and Blocking Email from Persistently Vulnerable Exchange Servers to Exchange Online.

Exchange Online security policy

Microsoft is also trying to combat the problem of email being sent to Exchange Online from unsupported and unpatched on-premises Exchange servers (in hybrid environments), as part of better securing its own cloud. There are many security risks associated with using these insecure systems. If an on-premises Exchange server is discovered that sends mail to Exchange Online instances but is not up to date with the latest patches, a new transport-based enforcement system will take effect in the future.

Transport-based Enforcement System

The transport-based enforcement system in Exchange Online described by Microsoft has three main features: Reporting, Throttling and Blocking. The system is designed to notify administrators about unpatched Exchange servers in their on-premises environment. And if those responsible for these on-premises Exchange servers fail to respond, the servers can be blocked.

  • Reporting: Exchange Server administrators can already detect unpatched systems through the Exchange Server Health Checker. Microsoft is now adding a new Mailflow report in Exchange Online's Exchange Administration Center (EAC) that is separate from and complementary to Health Checker. The new report (see the following image) provides a tenant administrator with details of any unsupported or out-of-date Exchange servers sending email to Exchange Online.

Exchange Online Report
Exchange Online Report,Click to zoom


  • Throttling: If the operator of an on-premises Exchange server does not respond with an update or upgrade after a certain time, Exchange Online throttles messages from that server. In this case, Exchange Online issues a repeatable SMTP 450 error (for example, 450 4.7.230 Connecting Exchange server version is out-of-date; connection to Exchange Online throttled for 5 mins/hr) to the sending server. This causes the sending server to queue the message and retry later. This results in delayed delivery of messages, and the delay interval becomes longer and longer to give administrators time to update the server (see BlockUnsafeExchangee for details).
  • Blocking:If an Exchange server is not updated within 30 days of the start of throttling, Exchange Online blocks acceptance of the email. Exchange Online then issues a permanent SMTP 550 error (e.g., 550 5.7.230 Connecting Exchange server version is out-of-date; connection to Exchange Online blocked for 10 mins/hr.) to the sender, which triggers a non-delivery notification (NDR) to the sender. In this case, the sender must resend the message.

Microsoft deliberately takes a progressive enforcement approach, gradually lengthening throttling over time and finally introducing blocking in gradually increasing stages, culminating in the complete blocking of non-compliant traffic. The following table lists the stages of gradual enforcement:

 Enforcement ActionsEnforcement Actions; Click to zoom

In stage 1 starts when a non-compliant server is detected for the first time. Then the reporting mode kicks in and the administrator has 30 days to update the server. After 30 days with no response, throttling begins, increasing every 10 days for the next 30 days in stages 2-4.

If the server is not updated within 60 days, the throttling and blocking modes begin, and the blocking increases in levels 5-7 every 10 days over the next 30 days.

If the server is still not updated 90 days after detection, Stage 8 is reached and Exchange Online will no longer accept messages from that server. Once this on-premises Exchange server is patched/updated after being blocked, Exchange Online will again accept messages from this server. This is also to force out of support Exchange servers that no longer have security updates.

Suspending the rules

The new Mailflow report in the EAC allows an administrator to request a temporary enforcement pause. This suspends all throttling and blocking on Exchange Online and puts the server into report-only mode for the duration specified by the administrator (up to 90 days per year). Microsoft writes that any tentant can suspend throttling and blocking (on Exchange Online) for up to 90 days per year.

The enforcement system will apply to all versions of Exchange Server and all email received from Exchange Online (in hybrid environments). Microsoft will begin with a very small subset of legacy servers: Exchange 2007 servers connected to Exchange Online via an OnPremises type inbound connector. After this initial deployment, Microsoft will gradually add more Exchange Server versions to the scope of the enforcement system. Eventually, the scope will be extended to all versions of Exchange Server, regardless of how they send email to Exchange Online. Details can be found in the Microsoft article.

Similar articles
Patch critical EvP vulnerability CVE-2023-23397 in Outlook
Patchday: Microsoft Office Updates (March 14, 2023)
Exchange Server Security Updates (March 14, 2023)
Outlook vulnerability CVE-2023-23397 not fully patched
Microsoft Guidelines for investigating attacks using CVE-2023-23397

Cookies helps to fund this blog: Cookie settings

This entry was posted in Cloud, Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *