- After cybersecurity experts showed that Microsoft’s mitigation is not enough to stop incoming attacks, the company revised its mitigation multiple times.
- Microsoft claims that the vulnerabilities are being exploited by only a single state-sponsored attack since August 2022.
- Microsoft also recommends Exchange Server customers disable remote PowerShell access for non-admin users in your organization.
Shortly after cybersecurity experts proved that Microsoft’s mitigation method for the Exchange Server vulnerabilities was not good enough, the tech giant updated its URL rewrite rule mitigation. Many users are expecting the patch to be released on Patch Tuesday. Microsoft announced that the two vulnerabilities are being exploited by a single state-sponsored hacker group since August of 2022 and the attacks are targeting less than 10 organizations worldwide.
Revised mitigation
Since September 30, Microsoft revised the steps of the mitigation multiple times. Currently, the final revision was made on October 8. The current Exchange Server mitigation is to add a blocking rule in “IIS Manager > Default Web Site > URL Rewrite > Actions” to block the known attack patterns. Exchange Server customers should review and use one of these options.
- Option 1: For customers who have the Exchange Emergency Mitigation Service (EEMS) enabled, Microsoft released the URL Rewrite mitigation for Exchange Server 2016 and Exchange Server 2019. The mitigation is enabled automatically and is updated to include the URL Rewrite rule improvements.
- Option 2: Microsoft created the EOMTv2 script for the URL Rewrite mitigation steps and updated it to include the URL Rewrite rule improvements. EOMTv2 script will auto-update on Internet-connected machines and the updated version will show as 22.10.07.2029. The script should be re-run on any Exchange Server without EEMS enabled.
- Option 3: Customers can follow the instructions below, which include the step 6 string update. A previously created rule for this mitigation can be deleted after the steps below are followed:
- Open IIS Manager.
- Select Default Web Site.
- In the Feature View, click URL Rewrite.
- In the Actions pane on the right-hand side, click Add Rule(s)…
- Select Request Blocking and click OK.
- Add the string “(?=.*autodiscover)(?=.*powershell)”
- Select Regular Expression under Using.
- Select Abort Request under How to block and then click OK.
- Expand the rule and select the rule with the pattern: (?=.*autodiscover)(?=.*powershell) and click Edit under Conditions.
- Change the Condition input from {URL} to {UrlDecode:{REQUEST_URI}} and then click OK.