Microsoft Defender adds automatic Exchange ProxyLogon mitigation

Microsoft Defender Antivirus will now protect unpatched on-premises Exchange servers from ongoing attacks by automatically mitigating the actively exploited CVE-2021-26855 vulnerability.

Customers running System Center Endpoint Protection on their servers will also be protected through the same automated mitigation process.

“The Exchange security update is still the most comprehensive way to protect your servers from these attacks and others fixed in earlier releases,” Microsoft said.

“This interim mitigation is designed to help protect customers while they take the time to implement the latest Exchange Cumulative Update for their version of Exchange.”

ProxyLogon automatic mitigation

The Microsoft Defender automatic protection from active attacks targeting unpatched Exchange servers works by breaking the attack chain.

It automatically mitigates CVE-2021-26855 via a URL Rewrite configuration and scans the servers for changes made by previous attacks, automatically reversing them.

“With the latest security intelligence update, Microsoft Defender Antivirus and System Center Endpoint Protection will automatically mitigate CVE-2021-26855 on any vulnerable Exchange Server on which it is deployed,” Microsoft added.

“Customers do not need to take action beyond ensuring they have installed the latest security intelligence update (build 1.333.747.0 or newer), if they do not already have automatic updates turned on.”

Microsoft has published ProxyLogon security updates for Microsoft Exchange Server 2019, 2016, and 2013, as well as step-by-step guidance to help address these ongoing attacks.

Redmond has also released a one-click Exchange On-Premises Mitigation Tool to help small business owners mitigate these actively exploited vulnerabilities in current and out-of-support versions of on-premises Exchange Servers.

Exchange servers targeted by state hackers, ransomware

Earlier this month, Microsoft disclosed that four zero-days were being used in attacks against Microsoft Exchange.

These vulnerabilities are collectively known as ProxyLogon and are being used to deploy web shells, cryptominers, and, more recently, DearCry ransomware payloads on compromised on-premises Exchange servers.

Since Microsoft disclosed the ongoing attacks, Slovak internet security firm ESET has discovered at least ten APT groups targeting unpatched Exchange servers.

According to Palo Alto Networks, over 125,000 Exchange Servers still wait to be patched worldwide.

Furthermore, tens of thousands of organizations have already been compromised since at least January, two months before Microsoft started releasing patches.