Microsoft planning to block outdated Exchange servers

Microsoft plans to throttle and block email from vulnerable Exchange servers to Exchange Online.

Microsoft will block e-mail from outdated Exchange servers

Outdated and completely unsupported versions of Exchange Servers pose an undeniable danger to corporate infrastructure and to mail flow. However, many administrators still believe in the proverb “if it ain’t broke — don’t fix it”, and prefer not to update Exchange unless absolutely necessary. And this appears to be why Microsoft decided to develop its transport-based enforcement System for Exchange Online.

The main purpose of this system is to notify administrators that they’re working with outdated and possibly unsafe software, and that, if they don’t subsequently update in a timely fashion, mail delivery from vulnerable servers will be gradually throttled and eventually blocked. It’s hoped that this system will serve as a convincing reason for administrators to finally upgrade or update Exchange Servers.

How the transport-based enforcement system works

The mechanism is quite simple: when Exchange Online receives mail from Exchange Server through an inbound OnPremises type connector, it identifies the server’s build version and evaluates if it’s safe to receive mail from it (i.e., whether the server’s version is supported and critical security patches are in place). If the server is vulnerable, then Exchange Online notes the date of its first encounter with it and adds a notification about an outdated server to the mail flow report, accessible by Exchange Server administrators.

If the situation doesn’t change within 30 days from the moment of initial discovery, Exchange Online will begin to throttle (in other words delay) messages from the vulnerable server. The throttling duration increases progressively every 10 days. If nothing changes 60 days after detection, Exchange Online begins to block the e-mails.

Initially, Microsoft plans to apply this system to Exchange 2007 servers only, but later the same approach will be applied to all versions of Exchange, and it doesn’t matter how the servers communicate with Exchange Online (that is, it won’t be limited to just OnPremises inbound connector). You can find additional details regarding the transport-based enforcement system in the official Exchange team’s blog post. Unfortunately, it lacks information on when this system will be launched and, most importantly, when it will extend its scope to other versions of Exchange servers.

Why a transport-based enforcement system is important

Implementation of such a system will be interesting as a precedent. Microsoft is rather aggressively demonstrating to its customers how highly it regards the importance of its cloud infrastructure security. It will be very interesting to see if this initiative turns into a trend — if other manufacturers of hybrid solutions (i.e., which run partly on a customer’s premises and partly in the cloud) follow Microsoft’s  example.

How to ensure Microsoft Exchange servers’ operability and secure e-mail flow?

If you are still using an unsupported version of the Exchange platform, it’s probably time to upgrade. If you have an up-to-date version of the Exchange, you need to monitor the release of security patches and timely install them.

In addition, we recommend protecting Exchange servers and the mail delivered through them with the dedicated solution Kaspersky Security for Microsoft Exchange Server (included in Kaspersky Security for Mail Server). In addition, as the last few years have shown, attackers willingly exploit vulnerabilities in Microsoft Exchange — sometimes creating exploits before users have a chance to install patches, and this can lead to rather serious consequences. But you can stay on top of things — controlling what’s happening in the corporate infrastructure and detecting malicious activity in time — with the help of Managed Detection and Response-class services.