There is a zero-day exploit in the wild that allows bad actors to obtain full control over an Exchange server, which then gives access to other internal resources. Microsoft released a patch for this on March 2, 2021.
Exchange Server 2010, 2013, 2016 and 2019 are all affected. Exchange Online is not affected, however, many organizations still have a hybrid environment set up.
Please note that to install the patches in question, your Exchange server may need an Exchange Cumulative Update installed first.
Microsoft, the U.S. government and Mirazon all urge you to apply these patches right away.
We also noticed that auto-forwarding may get disabled by this patch, probably on purpose on Microsoft’s part.
If any user has a rule in their Outlook or Exchange to auto-forward email to an external account, it may be disabled after this week’s patches. This also applies to hybrid environments with Office 365 mailboxes. The auto-forwarding email will receive an NDR -(NonDelivery Receipt) so you will know the auto-forwarding is disabled.
We typically don’t recommend auto-forwarding anyway, as that is a liability. It is an easy way to lose control of corporate data. It is also a common method used by hackers to access email. If an account is compromised, typically the first thing the bad actor will do is set up rules in Outlook to automatically move email to other folders or to auto-forward, so unsuspecting users won’t see certain emails. It’s also common for users to assume that since they changed their password the account is no longer compromised, not realizing email is still auto-forwarding to an outside malicious party.
Security updates are available for the following specific versions of Exchange:
- Exchange Server 2010 (for Service Pack 3 – this is a Defense in Depth update)
- Exchange Server 2013 (CU 23)
- Exchange Server 2016 (CU 19, CU 18)
- Exchange Server 2019 (CU 8, CU 7)