Exchange Server Zero-Day - Emergency Mitigation Service applied URL Rewrite

Andres Bohren

2022-10-01

Hi All,

On 29. September Microsoft reported Zero-Day Vulnerabilities in Exchange Server and published the Advisory below.

Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server

https://techcommunity.microsoft.com/t5/exchange-team-blog/customer-guidance-for-reported-zero-day-vulnerabilities-in/ba-p/3641494

Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server

https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

I was wondering if the Exchange Server Emergency Mitigation Service kicked in. But until FR Evening 30 September there was just the default Rule

https://blog.icewolf.ch/archive/2021/09/29/exchange-server-emergency-mitigation.aspx

."C:\Program Files\Microsoft\Exchange Server\V15\scripts\Get-Mitigations.ps1"

When i checked today, a new Rule has been deployed

."C:\Program Files\Microsoft\Exchange Server\V15\scripts\Get-Mitigations.ps1"

You can see the Rule in the XML that is the base for the Mitigation Service

https://officeclient.microsoft.com/getexchangemitigations

If you want to check the URL Rewrite here is how to do it

%systemroot%\system32\inetsrv\iis.msc

In my Opinion it took way to long until the Rule was published out to the Exchange Server Emergency Mitigation Service. Due to the fact, that there were seen such Attacs in the wild. Altough i appreciate the fact, that they are now available and help to Protect Customers from these Attacks.

For Systems that do not have the Exchange Server Emergency Mitigation Service Enabled or older Exchange Versions you can use the Script from Microsoft.

Exchange On-premises Mitigation Tool v2 (EOMTv2)

https://microsoft.github.io/CSS-Exchange/Security/EOMTv2/

Regards

Andres Bohren