Exchange Online will soon start blocking emails from old, vulnerable on-prem servers
Slowly but surely, Microsoft aims to make it impossible for unsupported and/or unpatched on-prem Microsoft Exchange servers to use the company’s Exchange Online hosted cloud service to deliver email.
Blocking potentially malicious emails from reaching Exchange Online
“To address [the problem of persistently vulnerable Exchange servers that cannot be trusted], we are enabling a transport-based enforcement system in Exchange Online that has three primary functions: reporting, throttling, and blocking,” the Exchange Team noted.
“The system is designed to alert an admin about unsupported or unpatched Exchange servers in their on-premises environment that need remediation (upgrading or patching). The system also has throttling and blocking capabilities, so if a server is not remediated, mail flow from that server will be throttled (delayed) and eventually blocked.”
In the first stage of this planned enforcement, Microsoft will just make it obvious to Exchange Server admins that a particular server is unsupported or out-of-date: by showing alerts in a new mail flow report in the admin center in Exchange Online, and via a post in the Message Center that all Exchange Server customers will see.
If that doesn’t incentivize them to patch or upgrade in the next 30 days, the company will roll onto the next stage: delaying (throttling) the server’s delivery of emails to the Exchange Online service for 5 minutes.
The next 6 stages involve increasing periods of just throttling or throttling AND blocking. Finally, if the admin of that server hasn’t moved to patch or upgrade the server in 90 days, Exchange Online will no longer accept any messages from the server.
The stages of progressive enforcement system (Source: Microsoft)
“Persistently vulnerable” servers and the emails sent from them can’t be trusted, Microsoft says, and are a danger to all Exchange Online cloud instances, as well as email recipients.
“The enforcement system will eventually apply to all versions of Exchange Server and all email coming into Exchange Online, but we are starting with a very small subset of outdated servers: Exchange 2007 servers that connect to Exchange Online over an inbound connector type of OnPremises,” the Exchange Team added.
“Following this initial deployment, we will incrementally bring other Exchange Server versions into the scope of the enforcement system. Eventually, we will expand our scope to include all versions of Exchange Server, regardless of how they send mail to Exchange Online.”
If a server version is still supported (e.g. Exchange 2016 and 2019) but the server is “significantly behind” on security updates, it will be considered vulnerable and mail flow from it will be delayed and/or blocked.
“If the server is patched after it is permanently blocked, then Exchange Online will again accept messages from the server, as long as the server remains in compliance. If a server cannot be patched, it must be permanently removed from service,” Microsoft pointed out.
Why?
Microsoft’s stated goal is to protect its internal infrastructure and to raise the security profile of the Exchange ecosystem, especially because there has been a significant increase in the frequency of attacks against Exchange servers in the last few years.
Lively discussions in the announcement‘s comments section and on Reddit revealed that some people welcome Microsoft’s move and others see it as the beginning of a maneuver that will force customers to stop using Exchange on-prem completely and switch to using Exchange Online (and pay for that, of course).
Scott Schnoll – Microsoft’s Product Manager for Exchange Online and Exchange Server – said that Microsoft won’t be stopping support for newer versions of Exchange servers. Also, that customers are not required to replace unsupported versions of Exchange with a newer one.
“There is no requirement to use a Microsoft product to send mail to Exchange Online. We want customers to be secure no matter where they choose to run their email,” he noted.
Can we assume that means that, eventually, email traffic from other non-Microsoft products that are deemed “persistently vulnerable” will be blocked as well? The company did not explicitly say.
“We are initially focusing on email servers we can readily identify as being persistently vulnerable, but we will block all potentially malicious mail flow that we can,” the Exchange Team stated.
When?
Schnoll says that after a short private preview, the first wave of affected customers will see the new mail flow report and alerts on May 23.
“June is when throttling begins for the first wave, and July is when blocking begins. On the day blocking begins for the current set of customers, the next set of customers will receive notification,” he added.