Microsoft reports increased attacks on Exchange servers

by Claudiu Andone
Claudiu Andone
Claudiu Andone
Windows & Software Expert
Oldtimer in the tech and science press, Claudiu is focused on whatever comes new from Microsoft. His abrupt interest in computers started when he saw the first Home... read more
Affiliate Disclosure
  • Microsoft Defender ATP Research Team released a guide on how to defend Exchange servers against malicious attacks using behavior-based detection.
  • The ATP team is worried about attacks that exploit Exchange vulnerabilities like CVE-2020-0688. 
  • You should start by reading more information on Exchange from our Microsoft Exchange section.
  • If you're interested in more news about security, feel free to visit our Security Hub.


Increased attacks on Exchage servers

Microsoft Defender ATP Research Team released a guide on how to defend Exchange servers against malicious attacks using behavior-based detection.

There are two ways to scenarios of Exchange servers being attacked. The most common implies launching social engineering or drive-by download attacks targeting endpoints.

The ATP team is worried, however about the second type, attacks that exploit Exchange vulnerabilities like CVE-2020-0688. There was even an NSA warning about this vulnerability.

Microsoft already issued the security update to fix the vulnerability since February, but attackers still find servers that were not patched and hence, remained vulnerable.

How do I defend against attacks on Exchage servers?

Behavior-based blocking and containment capabilities in Microsoft Defender ATP, which use engines that specialize in detecting threats by analyzing behavior, surface suspicious and malicious activities on Exchange servers.

These detection engines are powered by cloud-based machine learning classifiers that are trained by expert-driven profiling of legitimate vs. suspicious activities in Exchange servers.

The Microsoft researchers studied Exchange attacks investigated during April, using multiple Exchange-specific behavior-based detections.

suspicious behaviors detected on exchange servers graph

How do the attacks take place?

Microsoft also revealed the attack chain that the wrongdoers are using to compromise the Exchange servers.

It seems that attackers are operating on on-premises Exchange servers using deployed web shells. Whenever attackers interacted with the web shell, the hijacked application pool ran the command on behalf of the attacker.

This is an attacker’s dream: directly landing on a server and, if the server has misconfigured access levels, gain system privileges.

MS Exchange servers attack chain

Microsoft also specified in the guide that the attacks used multiple fileless techniques, with added layers of complexity in detecting and solving the threats.

The attacks also demonstrated that behavior-based detections are key to protecting organizations.

For now, it appears that installing the patch is the only available remedy for the CVE-2020-0688 server vulnerability.

This article covers:Topics: