Microsoft: Outdated Exchange servers fail to auto-mitigate security bugs

Microsoft says outdated Exchange servers cannot receive new emergency mitigation definitions because an Office Configuration Service certificate type is being deprecated.

Emergency mitigations (also known as EEMS mitigations) are delivered via the Exchange Emergency Mitigation Service(EEMS), introduced three years ago in September 2021.

EEMS automatically applies interim mitigations for high-risk (and likely actively exploited) security flaws to secure on-premises Exchange servers against attacks. It detects Exchange Servers vulnerable to known threats and applies interim mitigations until security updates are released.

EEMS runs as a Windows service on Exchange Mailbox servers and is automatically installed on servers with the Mailbox role after deploying September 2021 (or later) cumulative updates on Exchange Server 2016 or Exchange Server 2019.

However, according to the Exchange Team, EEMS "is not able to contact" the Office Configuration Service (OCS) and download new interim security mitigations on out-of-date servers running Exchange versions older than March 2023, instead triggering "Error, MSExchange Mitigation Service" events.

"One of older certificate types in OCS is getting deprecated. A new certificate has already been deployed in OCS, and any server that is updated to any Exchange Server Cumulative Update (CU) or Security Update (SU) newer than March 2023 will continue to be able to check for new EEMS mitigations," the Exchange Team said today.

"If your servers are so much out of date, please update your servers ASAP to secure your email workload and re-enable your Exchange server to check for EEMS rules. It is important to always keep your servers up to date. Running Exchange Server Health Checker will always tell you what you need to do!"

The feature was added after state-sponsored and financially motivated hackers exploited ProxyLogon and ProxyShellzero-days, which lacked patches or mitigation information, to breach Exchange servers.

In March 2021, at least ten hacking groups exploited ProxyLogon, including a Chinese-sponsored threat group known by Microsoft as Hafnium.

Microsoft also urged customers two years ago, in January 2023, to apply the latest supported Cumulative Update (CU) and keep their on-premises Exchange servers patched to ensure they're always ready to deploy emergency security updates.