Microsoft is now taking this hard stance after finally running out of patience with some of its customers who are just too busy (or lazy?) to keep up with patch updates! According to Redmond, “it is critical for customers to protect their Exchange servers by staying current with updates and by taking other actions to further strengthen the security of their environment. Many customers have taken action to protect their environment, but there are still many Exchange servers that are out of support or significantly behind on updates.”
The Exchange Team over at Microsoft opened its January 26, 2023, with this interesting line: “we’ve said it before, we’re saying it now, and we’ll keeping saying it: it is critical to keep your Exchange servers updated because attackers looking to exploit unpatched Exchange servers are not going to go away.” As if anyone needs reminding about that.
How is Micrsoft enforcing this?
Microsoft is adopting a 3-step approach to proactively mitigate the risk of malicious email entering Exchange Online as follows:
Step 1: Reporting – alert an admin about unsupported or unpatched Exchange servers in their on-premise environment that need remediation (upgrading or patching).
Step 2: Throttling – if a server is not remediated within a defined time period, mail flow from it will be throttled
Step 3: Blocking – if throttling does not cause an admin to remediate the server, then email from that server will be blocked after a defined period.
Microsoft believes that it has a sense of responsibility to protect its Exchange Online customers. And rightly so because you cannot coerce people to patch their systems, but you can choose not to allow untrusted systems contaminate other people’s systems. It will be interesting to see whether other vendors will follow Microsoft’s lead in the coming months and years.
Which Microsoft Exchange server versions are at risk?
Microsoft Exchange Server that predate 2013 are already end of life. Exchange Server 2013 will go end of life on the 11th of April 2023 (in just about two weeks!). From that point going forward, it will no longer receive any updates or support.
Organizations that currently have Exchange Server 2013 in their environments should be working round the clock now to migrate to Exchange Server 2016 or later. That should buy them another 30 months according to the “End of Life” timetable below:
Version | End of Life
_________________________
Exchange Server 2013 | April 11, 2023
Exchange Server 2016 | Oct 14, 2025
Exchange Server 2019 | Oct 14, 2025
Happy defending!
Written By Mobolaji Moyosore.
Cyber security thought leader with 20 years of cross-sector & cross-continental experience building and sustaining cyber-resilient infrastructures.