{
	"id": "60ac90ec-e6b1-498b-91fd-32ec028a0eb3",
	"created_at": "2026-04-06T00:16:03.761742Z",
	"updated_at": "2026-04-10T13:12:01.991463Z",
	"deleted_at": null,
	"sha1_hash": "461de8bc014c04f0232773dba6617d4f74554c54",
	"title": "Microsoft Exchange Server Vulnerabilities Mitigations - updated March 15, 2021",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 78083,
	"plain_text": "Microsoft Exchange Server Vulnerabilities Mitigations - updated\r\nMarch 15, 2021\r\nBy simon-pope\r\nPublished: 2021-03-05 · Archived: 2026-04-05 13:20:05 UTC\r\nUpdate March 15, 2021: If you have not yet patched, and have not applied the mitigations referenced below, a\r\none-click tool, the Exchange On-premises Mitigation Tool is now our recommended path to mitigate until you can\r\npatch.\r\nMicrosoft previously blogged our strong recommendation that customers upgrade their on-premises\r\nExchange environments to the latest supported version. For customers that are not able to quickly apply\r\nupdates, we are providing the following alternative mitigation techniques to help Microsoft Exchange customers\r\nwho need more time to patch their deployments and are willing to make risk and service function trade-offs.\r\nThese mitigations are not a remediation if your Exchange servers have already been compromised, nor are\r\nthey full protection against attack. We strongly recommend investigating your Exchange deployments using the\r\nhunting recommendations here to ensure that they have not been compromised. We recommend initiating an\r\ninvestigation in parallel with or after applying one of the following mitigation strategies. All the scripts and tools\r\nmentioned in this blog, along with guidance on using them can be found here:\r\nhttps://github.com/microsoft/CSS-Exchange/blob/main/Security/\r\nCustomers should choose one of the following mitigation strategies based on your organization’s priorities:\r\nRecommended solution: Install the security patch\r\nThis method is the only complete mitigation and has no impact to functionality.\r\nThe following has details on how to install the security update:\r\nhttps://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901\r\nThis will not evict an adversary who has already compromised a server.\r\nInterim mitigations if unable to patch Exchange Server 2013, 2016, and 2019:\r\nImplement an IIS Re-Write Rule to filter malicious https requests\r\nDisable Unified Messaging (UM)\r\nDisable Exchange Control Panel (ECP) VDir\r\nDisable Offline Address Book (OAB) VDir\r\nThese mitigations can be applied or rolled back using the ExchangeMitigations.ps1 script described below and\r\nhave some known impact to Exchange Server functionality. The mitigations are effective against the attacks we\r\nhave seen so far in the wild but are not guaranteed to be complete mitigations for all possible exploitation of these\r\nvulnerabilities. This will not evict an adversary who has already compromised a server. This should only be used\r\nhttps://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021\r\nPage 1 of 4\n\nas a temporary mitigation until Exchange servers can be fully patched, and we recommend applying all of the\r\nmitigations at once.\r\nExchangeMitigations.ps1\r\nOverview\r\nThis script contains mitigations to help address the following vulnerabilities:\r\nThis script is to be executed via an elevated Exchange PowerShell Session or elevated Exchange Management\r\nShell. Details for mitigations are below and additional information is on the aforementioned GitHub.\r\nBackend Cookie Mitigation\r\nDescription: This mitigation will filter https requests that contain malicious X-AnonResource-Backend and\r\nmalformed X-BEResource cookies which were found to be used in the SSRF attacks in the wild. This will help\r\nwith defense against the known patterns observed but not the SSRF as a whole.\r\nNote: The IIS Rewrite rules will be removed after Exchange is upgraded and the mitigation will need to be\r\nreapplied if the security patch has not been installed.\r\nRequirements: URL Rewrite Module\r\nFor IIS 10 and higher URL Rewrite Module 2.1 is recommended, version 2.1 (x86 and x64) can be\r\ndownloaded here:\r\nhttps://www.iis.net/downloads/microsoft/url-rewrite\r\nFor IIS 8.5 and lower Rewrite Module 2.0 is recommended, version 2.0 can be downloaded here:\r\nx86 - https://www.microsoft.com/en-us/download/details.aspx?id=5747\r\nx64 - https://www.microsoft.com/en-us/download/details.aspx?id=7435\r\nImpact: No known impact to Exchange functionality if URL Rewrite module is installed as recommended .\r\nInstalling URL Rewrite version 2.1 on IIS versions 8.5 and lower may cause IIS and Exchange to become\r\nunstable. If there is a mismatch between the URL Rewrite module and IIS version, ExchangeMitigations.ps1 will\r\nnot apply the mitigation for CVE-2021-26855. You must uninstall the URL Rewrite module and reinstall the\r\ncorrect version.\r\nUnified Messaging Mitigation\r\nDescription: This mitigation will disable the Unified Message services in Exchange. Microsoft Exchange\r\nManaged Availability services are also disabled to prevent mitigation regression.\r\nImpact: Unified Messaging/Voicemail outage when these services are disabled. The advanced monitoring\r\ncapabilities of Exchange are also disabled, due to disabling Microsoft Exchange Managed Availability services.\r\nhttps://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021\r\nPage 2 of 4\n\nECP Application Pool Mitigation\r\nDescription: This mitigation will disable the Exchange Control Panel (ECP) Virtual Directory. Microsoft\r\nExchange Managed Availability services are also disabled to prevent mitigation regression.\r\nImpact: The Exchange Control Panel will no longer be available. All Exchange Administration can be done via\r\nRemote PowerShell while the Exchange Control Panel is disabled. The advanced monitoring capabilities of\r\nExchange are also disabled, due to disabling Microsoft Exchange Managed Availability services.\r\nOAB Application Pool Mitigation\r\nDescription: This mitigation disables the Offline Address Book (OAB) Application Pool and API. Microsoft\r\nExchange Managed Availability services are also disabled to prevent mitigation regression.\r\nImpact: OAB will be unavailable, including downloads of the Offline Address Book by Outlook clients. This may\r\nresult in stale address book results in some scenarios and configurations. The advanced monitoring capabilities of\r\nExchange are also disabled, due to disabling Microsoft Exchange Managed Availability services.\r\nAdditional hunting and investigation techniques\r\nNmap Script To Scan For CVE-2021-26855\r\nDescription: Detects whether the specified URL is vulnerable to the Exchange Server SSRF Vulnerability (CVE-2021-26855). This can be used to validate patch and mitigation state of exposed servers.\r\nTest-ProxyLogon.Ps1\r\nThis script checks targeted exchange servers for signs of the proxy logon compromise. Proxy logon vulnerabilities\r\nare described in CVE-2021-26855, 26858, 26857, and 27065. This script is intended to be run via an elevated\r\nExchange Management Shell.\r\nMicrosoft Support Emergency Response Tool (MSERT) to scan Microsoft Exchange Server\r\nMicrosoft Defender has included security intelligence updates to the latest version of the Microsoft Safety Scanner\r\n(MSERT.EXE) to detect and remediate the latest threats known to abuse the Exchange Server vulnerabilities\r\ndisclosed on March 2, 2021. Administrators can use this tool for servers not protected by Microsoft Defender for\r\nEndpoint or where exclusions are configured for the recommended folders below.\r\nTo use the Microsoft Support Emergency Response Tool (MSERT) to scan the Microsoft Exchange Server\r\nlocations for known indicators from adversaries:\r\n1. Download MSERT from Microsoft Safety Scanner Download - Windows security. Note: In case you need\r\nto troubleshoot it, see How to troubleshoot an error when you run the Microsoft Safety Scanner.\r\n2. Read and accept the End user license agreement , then click Next.\r\n3. Read the Microsoft Safety Scanner Privacy Statement , then click Next.\r\n4. Select whether you want to do full scan, or customized scan.\r\nhttps://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021\r\nPage 3 of 4\n\nFull scan – The most effective way to thoroughly scan every file on the device. It is the most effective\r\noption although it might take a long time to complete depending on the directory size of your server.\r\nCustomized scan – This can be configured to scan the following file paths where malicious files from the\r\nthreat actor have been observed:\r\n%IIS installation path%\\aspnet_client\\*\r\n%IIS installation path%\\aspnet_client\\system_web\\*\r\n%Exchange Server installation path%\\FrontEnd\\HttpProxy\\owa\\auth\\*\r\nConfigured temporary ASP.NET files path\r\n%Exchange Server Installation%\\FrontEnd\\HttpProxy\\ecp\\auth\\*\r\nThese remediation steps are effective against known attack patterns but are not guaranteed as complete\r\nmitigation for all possible exploitation of these vulnerabilities. Microsoft Defender will continue to monitor and\r\nprovide the latest security updates.\r\nCVE-2021-26855\r\nCVE-2021-26857\r\nCVE-2021-26858\r\nCVE-2021-27065\r\nPartial mitigations\r\nSource: https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021\r\nhttps://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021"
	],
	"report_names": [
		"microsoft-exchange-server-vulnerabilities-mitigations-march-2021"
	],
	"threat_actors": [],
	"ts_created_at": 1775434563,
	"ts_updated_at": 1775826721,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/461de8bc014c04f0232773dba6617d4f74554c54.pdf",
		"text": "https://archive.orkl.eu/461de8bc014c04f0232773dba6617d4f74554c54.txt",
		"img": "https://archive.orkl.eu/461de8bc014c04f0232773dba6617d4f74554c54.jpg"
	}
}