March 28, 2023

Microsoft has announced a new security feature for Exchange Online that will gradually throttle and eventually block emails sent from “persistently vulnerable Exchange servers.”

The new “transport-based enforcement system” will be implemented for Exchange Server 2007 using OnPremises connectors to send mail, before expanding to other Exchange versions.

These servers are typically those that run end-of-life software or have not been patched against known security bugs. The primary goal of the system is to help Exchange admins identify unpatched or unsupported on-prem Exchange servers and upgrade or patch them before they become security risks. The enforcement system has three distinct functions: reporting, throttling, and blocking.

The Exchange Team explains that any Exchange server that has reached end-of-life, such as Exchange 2007, Exchange 2010, and soon Exchange 2013, or remains unpatched for known vulnerabilities, will be considered persistently vulnerable. Exchange 2016 and Exchange 2019 servers that are significantly behind on security updates are also included in this category.

The new enforcement system is designed to alert admins about security risks in their environment and to protect Exchange Online recipients from potentially malicious messages sent from persistently vulnerable Exchange servers. It will only affect servers running Exchange Server 2007 using OnPremises connectors to send mail at first, to allow fine tuning before expanding to all Exchange versions, regardless of how they connect to Exchange Online, after tuning.

This announcement follows a January call to action by Microsoft, urging customers to keep their on-prem Exchange servers up-to-date by applying the latest supported Cumulative Update (CU), always to have them ready for incoming emergency security updates.

The sources for this piece include an article in BleepingComputer.