Exchange Server Zero-Day - Emergency Mitigation Service applied URL Rewrite
Hi All,
On 29. September Microsoft reported Zero-Day Vulnerabilities in Exchange Server and published the Advisory below.
Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server
Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server
I was wondering if the Exchange Server Emergency Mitigation Service kicked in. But until FR Evening 30 September there was just the default Rule
."C:\Program Files\Microsoft\Exchange Server\V15\scripts\Get-Mitigations.ps1"
When i checked today, a new Rule has been deployed
."C:\Program Files\Microsoft\Exchange Server\V15\scripts\Get-Mitigations.ps1"
You can see the Rule in the XML that is the base for the Mitigation Service
If you want to check the URL Rewrite here is how to do it
%systemroot%\system32\inetsrv\iis.msc
In my Opinion it took way to long until the Rule was published out to the Exchange Server Emergency Mitigation Service. Due to the fact, that there were seen such Attacs in the wild. Altough i appreciate the fact, that they are now available and help to Protect Customers from these Attacks.
For Systems that do not have the Exchange Server Emergency Mitigation Service Enabled or older Exchange Versions you can use the Script from Microsoft.
Exchange On-premises Mitigation Tool v2 (EOMTv2)
Regards
Andres Bohren