Exchange Online: Microsoft will now block mails from unpatched Exchange systems

Exchange Logo[German]Microsoft has again reminded on May 8, 2023, that as a security measure for Exchange Online, they will now start to delay the delivery of mails from (on-premises) Exchange servers if these systems have fallen out of support or are not patched. This is a security measure that had been announced by Redmond some time ago and is now being implemented in stages.


Advertising

An anonymous German blog reader posted in this comment to the blog post Exchange Online: Erinnerung Remote PowerShell ist ab 15. Juli 2023 "deprecated. As of May 8, 2023, the post Throttling and Blocking Email from Persistently Vulnerable Exchange Servers to Exchange Online has appeared from Microsoft in the techcommunity.

In Microsoft's effort to improve the security of its own cloud, they will address the issue of emails sent to Exchange Online from unsupported (e.g. Exchange Server 2013) and unpatched Exchange servers. Using unsupported or unpatched software carries many risks – including security.

Once a version of Exchange Server has fallen out of support and is no longer supported, it will no longer receive security updates. Vulnerabilities discovered after support expires will not be fixed. Similar risks are associated with using software that is not patched for known security vulnerabilities.

Microsoft's experience is that published security updates are analyzed by malicious actors to understand how the vulnerability can be exploited on unpatched servers. However, this clashes with the zero-trust security model of MIcrosoft cloud services. This requires that connected devices and servers are demonstrably patched and managed. Servers that are unsupported or unpatched are persistently vulnerable and cannot be trusted, so email messages sent from them cannot be trusted. Persistently vulnerable servers significantly increase the risk of security breaches, malware, hacking, data exfiltration, and other attacks.

At the end of March 2023, in the blog post Exchange Online blocks mail from on-premises Exchange servers with vulnerabilities, I had already pointed out Microsoft's plans to introduce and enforce security policies for Exchange Online that can be used to block the acceptance of mail from insecure on-premises Exchange servers (in hybrid environments). The affected administrators will receive a notification that the on-premises Exchange server is vulnerable. If there is no response within 90 days, Exchange Online refuses to accept further e-mails. In the future, this will primarily eliminate systems with on-premises Exchange Server 2007, 2010 and, from April 2023, 2013 that have fallen out of support.


Advertising

DThe staged approach propagated by Microsoft, in which administrators of insecure Exchange Servers are notified and, in the absence of a response, the delivery of emails is delayed and later blocked, is described in the blog post Exchange Online blocks mail from on-premises Exchange servers with vulnerabilitiess. The details can also be read in the Techcommunity post Throttling and Blocking Email from Persistently Vulnerable Exchange Servers to Exchange Online.


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in Cloud, Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *