Organizations using Exchange Server will get a new automated emergency mitigation tool after installing Microsoft’s September cumulative updates. This new tool, called the Microsoft Exchange Emergency Mitigation service, is an automated Exchange Server component.

The Mitigation service is based on Microsoft Exchange On-premises Mitigation Tool, released in mid-March to help organizations in patching address active threats, so-called Hafnium APT group involved in widespread attacks leveraging ProxyLogon attack.

EOMT provides a PowerShell script to configure Exchange Server with mitigations against threats, but it’s a manually applied ad hoc tool. The Microsoft Exchange Emergency Mitigation service, in contrast, will automate some of this process, and will always apply mitigations when Microsoft releases them.

Actions performed via a mitigation include URL rewriting, stopping/starting app pools and services, changing authentication settings, and modifying other configuration settings,.

The Mitigation service isn’t an alternate or a relief from applying security updates. It’s just there to add protection when Exchange Server is subject to vulnerabilities “that are being actively exploited in the wild,” for a other mitigations it will be straight forward.

Prerequisite

  • The IIS Rewrite URL module v2 needs to be installed on the Exchange Server.
  • An update for Universal Runtime in Windows (KB2999226) is needed for users of Exchange Server 2016 on Windows Server 2012 R2.
  • Organizations will need an Internet connection to the Office Config Service (OCS).

On Exchange servers without Internet connectivity, you’ll want to disable EM because it can’t work without Internet connectivity. In those cases, or when you don’t want automatic mitigation, we recommend using the EOMT to apply available mitigations manually.

Microsoft Statement

Organizations can let the service send diagnostic data to Microsoft, or they can opt out of sending data. Opting out doesn’t disable the service.

Microsoft is planning to test the service with a sample mitigation called PING at some point. The PING test makes no changes. It just verifies the health of the service.