{ "id": "b20e7f01-f7b4-4878-8e4a-06329fa35df6", "created_at": "2026-04-06T00:18:01.668102Z", "updated_at": "2026-04-10T13:12:02.15659Z", "deleted_at": null, "sha1_hash": "ce714e96c6987e68dbc8f78eb22c8dfc8357f2a9", "title": "CSS-Exchange/Security at main · microsoft/CSS-Exchange", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 82513, "plain_text": "CSS-Exchange/Security at main · microsoft/CSS-Exchange\r\nBy lusassl-msft\r\nArchived: 2026-04-05 15:05:33 UTC\r\nScript More Info Download\r\nEOMT More Info Download\r\nExchangeMitigations.ps1 More Info Obsolete\r\nhttp-vuln-cve2021-26855.nse More Info Obsolete\r\nTest-ProxyLogon.ps1 More Info Download\r\nSecurity scripts\r\nExchange On-premises Mitigation Tool (EOMT)\r\nThis script contains mitigations to help address the following vulnerabilities.\r\nCVE-2021-26855\r\nThis is the most effective way to help quickly protect and mitigate your Exchange Servers prior to patching. We\r\nrecommend this script over the previous ExchangeMitigations.ps1 script. The Exchange On-premises\r\nMitigation Tool automatically downloads any dependencies and runs the Microsoft Safety Scanner. This a better\r\napproach for Exchange deployments with Internet access and for those who want an attempt at automated\r\nremediation. We have not observed any impact to Exchange Server functionality via these mitigation methods.\r\nEOMT.ps1 is completely automated and uses familiar mitigation methods previously documented. This script has\r\nfour operations it performs:\r\n+NEW Check for the latest version of EOMT and download it.\r\nMitigate against current known attacks using CVE-2021-26855 via a URL Rewrite configuration\r\nScan the Exchange Server using the Microsoft Safety Scanner\r\nAttempt to remediate compromises detected by the Microsoft Safety Scanner.\r\nThis a better approach for Exchange deployments with Internet access and for those who want an attempt at\r\nautomated remediation. We have not observed any impact to Exchange Server functionality via these mitigation\r\nmethods nor do these mitigation methods make any direct changes that disable features of Exchange.\r\nUse of the Exchange On-premises Mitigation Tool and the Microsoft Safety Scanner are subject to the terms of the\r\nMicrosoft Privacy Statement: https://aka.ms/privacy\r\nRequirements to run the Exchange On-premises Mitigation Tool\r\nhttps://github.com/microsoft/CSS-Exchange/tree/main/Security\r\nPage 1 of 6\n\nExternal Internet Connection from your Exchange server (required to download the Microsoft Safety\r\nScanner and the IIS URL Rewrite Module).\r\nPowerShell script must be run as Administrator.\r\nSystem Requirements\r\nPowerShell 3 or later\r\nIIS 7.5 and later\r\nExchange 2013, 2016, or 2019\r\nWindows Server 2008 R2, Server 2012, Server 2012 R2, Server 2016, Server 2019\r\n+New If Operating System is older than Windows Server 2016, must have KB2999226 for IIS Rewrite\r\nModule 2.1 to work.\r\nWho should run the Exchange On-premises Mitigation Tool\r\nSituation Guidance\r\nIf you have done nothing to date to patch or\r\nmitigate this issue…\r\nRun EOMT.PS1 as soon as possible.This will both attempt\r\nto remediate as well as mitigate your servers against further\r\nattacks. Once complete, follow patching guidance to update\r\nyour servers on http://aka.ms/exchangevulns\r\nIf you have mitigated using any/all of the\r\nmitigation guidance Microsoft has given\r\n(ExchangeMitigations.Ps1, Blog post, etc..)\r\nRun EOMT.PS1 as soon as possible. This will both attempt\r\nto remediate as well as mitigate your servers against further\r\nattacks. Once complete, follow patching guidance to update\r\nyour servers on http://aka.ms/exchangevulns\r\nIf you have already patched your systems and\r\nare protected, but did NOT investigate for any\r\nadversary activity, indicators of compromise,\r\netc….\r\nRun EOMT.PS1 as soon as possible. This will attempt to\r\nremediate any existing compromise that may not have been\r\nfull remediated before patching.\r\nIf you have already patched and investigated\r\nyour systems for any indicators of\r\ncompromise, etc….\r\nNo action is required\r\nImportant note regarding Microsoft Safety Scanner\r\nThe Exchange On-premises Mitigation Tool runs the Microsoft Safety Scanner in a quick scan mode. If you\r\nsuspect any compromise, we highly recommend you run it in the FULL SCAN mode. FULL SCAN mode can take\r\na long time but if you are not running Microsoft Defender AV as your default AV, FULL SCAN will be required to\r\nremediate threats.\r\nExchange On-premises Mitigation Tool Examples\r\nhttps://github.com/microsoft/CSS-Exchange/tree/main/Security\r\nPage 2 of 6\n\nThe default recommended way of using EOMT.ps1. This will determine if your server is vulnerable, mitigate if\r\nvulnerable, and run MSERT in quick scan mode. If the server is not vulnerable only MSERT quick scan will run.\r\n.\\EOMT.ps1\r\nTo run a Full MSERT Scan - We only recommend this option only if the initial quick scan discovered threats. The\r\nfull scan may take hours or days to complete.\r\n.\\EOMT.ps1 -RunFullScan -DoNotRunMitigation\r\nTo run the Exchange On-premises Mitigation Tool with MSERT in detect only mode - MSERT will not remediate\r\ndetected threats.\r\n.\\EOMT.ps1 -DoNotRemediate\r\nTo roll back the Exchange On-premises Mitigation Tool mitigations\r\n.\\EOMT.ps1 -RollbackMitigation\r\nNote: If ExchangeMitigations.ps1 was used previously to apply mitigations, Use ExchangeMitigations.ps1 for\r\nrollback.\r\n+NEW EOMT will now AutoUpdate by downloading the latest version from GitHub. To prevent EOMT from\r\nfetching updates to EOMT.ps1 from the internet.\r\n.\\EOMT.ps1 -DoNotAutoUpdateEOMT\r\nExchange On-premises Mitigation Tool Q \u0026 A\r\nQuestion: What mode should I run EOMT.ps1 in by default?\r\nAnswer: By default, EOMT.ps1 should be run without any parameters:\r\nThis will run the default mode which does the following:\r\n1. Checks if your server is vulnerable based on the presence of the SU patch or Exchange version.\r\n2. Downloads and installs the IIS URL rewrite tool (only if vulnerable).\r\n3. Applies the URL rewrite mitigation (only if vulnerable).\r\n4. Runs the Microsoft Safety Scanner in \"Quick Scan\" mode (vulnerable or not).\r\nQuestion: What if I run a full scan and it's affecting the resources of my servers?\r\nAnswer: You can terminate the process of the scan by running the following command in an Administrative\r\nPowerShell session.\r\nStop-Process -Name msert\r\nQuestion: What is the real difference between this script (EOMT.PS1) and the previous script Microsoft released\r\n(ExchangeMitigations.Ps1).\r\nhttps://github.com/microsoft/CSS-Exchange/tree/main/Security\r\nPage 3 of 6\n\nAnswer: The Exchange On-premises Mitigation Tool was released to help pull together multiple mitigation and\r\nresponse steps, whereas the previous script simply enabled mitigations. Some details on what each do:\r\nEOMT.PS1\r\nMitigation of CVE-2021-26855 via a URL Rewrite configuration.\r\nMitigation does not impact Exchange functionality.\r\nMalware scan of the Exchange Server via the Microsoft Safety Scanner\r\nAttempt to reverse any changes made by identified threats.\r\nExchangeMitigations.ps1:\r\nDoes mitigations for all 4 CVE's - CVE-2021-26855, CVE-2021-26857, CVE-2021-27065 \u0026 CVE-2021-\r\n26858.\r\nSome of the mitigation methods impact Exchange functionality.\r\nDoes not do any scanning for existing compromise or exploitation.\r\nDoes not take response actions to existing active identified threats.\r\nQuestion: What if I do not have an external internet connection from my Exchange server?\r\nAnswer: If you do not have an external internet connection, you can still use the legacy script\r\n(ExchangeMitigations.ps1) and other steps from the mitigation blog post: Microsoft Exchange Server\r\nVulnerabilities Mitigations – March 2021\r\nQuestion: If I have already ran the mitigations previously, will the Exchange On-premises Mitigation Tool roll\r\nback any of the mitigations?\r\nAnswer: No, please use the legacy script (ExchangeMitigations.ps1) to do rollback. The legacy script supports\r\nrollback for the mitigations the Exchange On-premises Mitigation Tool applied.\r\nTest-ProxyLogon.ps1\r\nFormerly known as Test-Hafnium, this script automates all four of the commands found in the Hafnium blog post.\r\nIt also has a progress bar and some performance tweaks to make the CVE-2021-26855 test run much faster.\r\nDownload the latest release here:\r\nDownload Test-ProxyLogon.ps1\r\nUsage\r\nThe most typical usage of this script is to check all Exchange servers and save the reports, by using the following\r\nsyntax from Exchange Management Shell:\r\nGet-ExchangeServer | .\\Test-ProxyLogon.ps1 -OutPath $home\\desktop\\logs\r\nTo check the local server only, just run the script:\r\nhttps://github.com/microsoft/CSS-Exchange/tree/main/Security\r\nPage 4 of 6\n\n.\\Test-ProxyLogon.ps1 -OutPath $home\\desktop\\logs\r\nTo check the local server and copy the identified logs and files to the OutPath:\r\n.\\Test-ProxyLogon.ps1 -OutPath $home\\desktop\\logs -CollectFiles\r\nTo display the results without saving them, pass -DisplayOnly:\r\n.\\Test-ProxyLogon.ps1 -DisplayOnly\r\nFrequently Asked Questions\r\nThe script says it found suspicious files, and it lists a bunch of zip files. What does this mean?\r\nThe script will flag any zip/7x/rar files that it finds in ProgramData. As noted in this blog post, web shells have\r\nbeen observed using such files for exfiltration. An administrator should review the files to determine if they are\r\nvalid. Determining if a zip file is a valid part of an installed product is outside the scope of this script, and\r\nwhitelisting files by name would only encourage the use of those specific names by attackers.\r\nI'm having trouble running the script on Exchange 2010.\r\nIf PowerShell 3 is present, the script can be run on Exchange 2010. It will not run-on PowerShell 2. One can also\r\nenable PS Remoting and run the script remotely against Exchange 2010. However, the script has minimal\r\nfunctionality in these scenarios, as Exchange 2010 is only affected by one of the four announced exploits - CVE-2021-26857. Further, this exploit is only available if the Unified Messaging role is present. As a result, it is often\r\neasier to simply run the Get-EventLog command from the blog post, rather than using Test-ProxyLogon.\r\nExchangeMitigations.ps1\r\nNOTE: This script is obsolete and is no longer maintained. Please use EOMT.ps1 instead.\r\nThe final release can be downloaded here:\r\nDownload ExchangeMitigations.ps1\r\nThis script contains 4 mitigations to help address the following vulnerabilities:\r\nCVE-2021-26855\r\nCVE-2021-26857\r\nCVE-2021-27065\r\nCVE-2021-26858\r\nFor more information on each mitigation please visit https://aka.ms/exchangevulns\r\nThis should only be used as a temporary mitigation until your Exchange Servers can be fully patched,\r\nrecommended guidance is to apply all of the mitigations at once.\r\nhttps://github.com/microsoft/CSS-Exchange/tree/main/Security\r\nPage 5 of 6\n\nFor this script to work you must have the IIS URL Rewrite Module installed which can be done via this script\r\nusing the -FullPathToMSI parameter.\r\nURL Rewrite Module 2.1 must be installed, you can download version 2.1 here:\r\nx86 \u0026 x64 -https://www.iis.net/downloads/microsoft/url-rewrite\r\nFor systems running IIS 8.5 and lower KB2999226 must be installed. Please review the prerequisite for this KB\r\nand download from https://support.microsoft.com/en-us/topic/update-for-universal-c-runtime-in-windows-c0514201-7fe6-95a3-b0a5-287930f3560c\"\r\nScript requires PowerShell 3.0 and later and must be executed from an elevated PowerShell Session.\r\nTo apply all mitigations with MSI install\r\n.\\ExchangeMitigations.ps1 -FullPathToMSI \"FullPathToMSI\" -WebSiteNames \"Default Web Site\" -\r\nApplyAllMitigations\r\nTo apply all mitigations without MSI install\r\n.\\ExchangeMitigations.ps1 -WebSiteNames \"Default Web Site\" -ApplyAllMitigations -Verbose\r\nTo rollback all mitigations\r\n.\\ExchangeMitigations.ps1 -WebSiteNames \"Default Web Site\" -RollbackAllMitigation\r\nTo apply multiple or specific mitigations (out of the 4)\r\n.\\ExchangeMitigations.ps1 -WebSiteNames \"Default Web Site\" -ApplyECPAppPoolMitigation -\r\nApplyOABAppPoolMitigation\r\nTo rollback multiple or specific mitigations\r\n.\\ExchangeMitigations.ps1 -WebSiteNames \"Default Web Site\" -RollbackECPAppPoolMitigation -\r\nRollbackOABAppPoolMitigation\r\nhttp-vuln-cve2021-26855.nse\r\nNOTE: This file is obsolete and is no longer maintained. Please use EOMT.ps1 instead.\r\nThe final release can be downloaded here:\r\nDownload http-vuln-cve2021-26855.nse\r\nThis file is for use with nmap. It detects whether the specified URL is vulnerable to the Exchange Server Server-Side-Request-Forgery Vulnerability (CVE-2021-26855). For usage information, please read the top of the file.\r\nSource: https://github.com/microsoft/CSS-Exchange/tree/main/Security\r\nhttps://github.com/microsoft/CSS-Exchange/tree/main/Security\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://github.com/microsoft/CSS-Exchange/tree/main/Security" ], "report_names": [ "Security" ], "threat_actors": [ { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434681, "ts_updated_at": 1775826722, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ce714e96c6987e68dbc8f78eb22c8dfc8357f2a9.pdf", "text": "https://archive.orkl.eu/ce714e96c6987e68dbc8f78eb22c8dfc8357f2a9.txt", "img": "https://archive.orkl.eu/ce714e96c6987e68dbc8f78eb22c8dfc8357f2a9.jpg" } }