Skip to main content

Security Alert

Misuse of Microsoft Exchange Vulnerability: Keep Scanning and be Prepared

The NCSC advises to keep scanning and monitoring for misuse of Microsoft Exchange Servers and to take measures to limit the consequences of misuse. Contact your IT service provider if the Exchange Server is not under your own control.

What is the reason for this message?

On 10 March, a Proof-of-Concept (PoC) was found online that could be used to exploit Microsoft Exchange Server vulnerabilities. This PoC can be used by malicious parties to execute arbitrary code with system privileges on an Exchange server. The chance is therefore high that the abuse of these vulnerabilities will increase in the short term and will also be used as a steppingstone for other digital attacks such as ransomware.

How can I scan and monitor for abuse?

Microsoft regularly publishes updates to their scan scripts. The NCSC recommends regularly checking for these updated scripts and then executing them. Even if you have already patched and may have performed scans before, these updated scripts (see Test-ProxyLogon.ps1 and http-vuln-cve2021-26855.nse) may still lead to different scan results and therefore require follow-up action.

For operational frameworks of action, please refer to NCRS’s updated security advice. Here you can find information about the detection of abuse on your system and other Exchange servers within the network.

How can I limit the possible consequences of abuse?

Think about measures you can take as an organisation to limit the consequences of (earlier) abuse of vulnerabilities in your Exchange servers. The vulnerabilities in Microsoft Exchange Server may already have been exploited before the patches were installed. The patches do not help against previously obtained malicious access to the Exchange servers. Therefore, think about the consequences this may have and which measures you can take to limit these consequences. 

For example, consider the scenario that malicious persons have captured e-mails or have created the possibility to perform a ransomware attack on your systems. And then determine what measures will help mitigate the impact.

We have some concrete advice that can help you take measures:

  • Have your system (forensically) checked
  • Check the back-up facility
  • Reset your passwords and user data
  • Monitor whether your data has been leaked on the Internet

If you suspect your system has been compromised, also take the following actions:

  • Report it to the Police
  • Consider making a report to The Dutch Data Protection Authority
  • Restore or reconfigure your system

Please refer to the following documents for additional advice:

Source: NCSC.