For most people, when they think of Microsoft Exchange, they think of email — a task that many would likely welcome briefly pausing. However, Exchange is much more than email; it's tightly coupled with calendar functions, and that's critical for many organizations. Unfortunately, organizations that host on-premise instances of Microsoft Exchange are especially susceptible to a series of vulnerabilities that could adversely impact their operational capabilities. 

In 2021, Microsoft disclosed an exploitable condition that was found in publicly accessible Microsoft Exchange servers where a threat actor could perform arbitrary code execution. The initial four vulnerabilities, which utilized a zero-day attack against four separate vulnerabilities in Exchange Server, would eventually become known as ProxyLogon. At the time, the disclosure was an all-hands-on-deck situation due to the likely widespread impacts and eventually additional vulnerabilities would also be discovered.

Let’s dive into the specific risks associated with on-premises Microsoft Exchange, how threat actors exploit these risks, and how Coalition's data scanning platform alerts policyholders to both new and persistent risks related to Exchange.

ProxyLogon: the first vulnerability series

When announcing ProxyLogon, the Microsoft Threat Intelligence Center (MSTIC) described the attacks as "limited and targeted," and warned that they had been used to gain access to on-premises Exchange servers, which threat actors used to pivot to access to email accounts, harvest credentials, install malware, and perform other administrative tasks. On-premises Exchange is when an organization maintains a physical Exchange Server at its own premises. It's important to note that Exchange Online was not affected by ProxyLogon. 

In an unprecedented move, MSTIC also announced ProxyLogon had been exploited by Hafnium, a group assessed to be state-sponsored and operating out of China, primarily targeting US-based organizations running on-premises Exchange servers. MSTIC based its assessment on observed victimology, tactics, and procedures.

Email servers can contain a wealth of valuable information and even business-critical information. Email is not a secure communication method, and yet many organizations rely on email as a vital part of their daily operations. At the time of MSTIC's announcement, the ProxyLogon vulnerability allowed threat actors to not only access email but to also potentially install software on an Exchange server, which could be used to achieve any number of malicious objectives. 

During the initial set of ProxyLogon vulnerabilities, approximately 1,000 Coalition policyholders were exposed. Coalition's in-house CIR and Security teams acted quickly, and we were able to notify and remediate the vulnerability for 98% of our impacted policyholders within a week of the disclosure. This Active Response is just one pillar of our Active Insurance platform, which brings together in-depth technology, cybersecurity, and insurance expertise to help organizations assess, prevent, and respond to an emerging set of digital risks. Through Active Insurance we support brokers and policyholders before, during and after an incident occurs, taking a holistic approach to mitigating digital risk. 

ProxyShell announced: August 2021

In August of 2021, the Cybersecurity and Infrastructure Security Agency (CISA) warned organizations of a new cluster of Exchange vulnerabilities: ProxyShell. Security researcher Kevin Beaumont had also alerted the community after he noticed code being executed on his Exchange honeypots. ProxyShell enabled threat actors to bypass access control lists (ACL) in Exchange and elevate their privileges, effectively legitimizing their access, and also allowing them to access additional parts of the service. From here the threat actor has the ability to perform remote code execution, which allows them to persist within your network as a separate legitimate user outside of the vulnerability.

Fortunately for our policyholders, Coalition was prepared. 

Given the impact of previous Exchange vulnerabilities, Coalition invested the time to build a dedicated scanning module to handle Exchange events in the future. Thankfully, we already had the technology for specialized scanning. With a few code changes and testing, we were able to scan and notify our policyholders that they, again, had exposed Exchange vulnerabilities before the close of business. As our results streamed in, notifications to our policyholders streamed out, leveraging our entire system to help solve cyber risk.

Current state of Exchange vulnerabilities for policyholders

Today, Coalition can report on the version of Exchange an organization is running, which indicates the exact patch level and, therefore, any outstanding vulnerabilities that may exist for that version. Additionally, Microsoft releases new patches on the second Tuesday of each month. Our scanning engine can determine if a patch has been released and if a policyholder is at risk because they have not applied the newest patch.

Keeping policyholders safe is more than just patching and version control. Our scanning engine also checks for administrative endpoints exposed to the public internet. These endpoints are very powerful and have tremendous potential for abuse, as they do not always have the same security in place as a standard login. 

We also check for indicators of compromise (IOCs) in case our policyholders failed to remediate an Exchange vulnerability before a threat actor gained access to their network. While this is an end state we are always seeking to avoid, our CIR and security teams are available to respond and help policyholders through what can often be a complex remediation process.

This upfront investment now allows Coalition to quickly update our detection capabilities when Microsoft releases updates for Exchange, and actively work with our policyholders to minimize the time that they might be exposed to any unnecessary risk.

Future state/if you have to use Exchange

CISA released their 2021 Top Routinely Exploited Vulnerabilities in April of 2022, which was co-authored by cybersecurity authorities in several countries. In the report, CISA noted that in 2021 threat actors targeted internet-facing systems such as email servers and virtual private network (VPN) servers. Both ProxyLogon and ProxyShell were listed among the top 15 exploited vulnerabilities for the year, showing the continued risk they pose to organizations.

Given the complicated nature of the entire Exchange ecosystem, it is likely we will continue to see vulnerabilities discovered as attackers go after the broad range of capabilities and sensitive data it stores. Coalition will continue to adapt our tooling to effectively scan and alert our policyholders. If you have questions or concerns regarding your Exchange infrastructure, contact us. Additionally, if you are a Coalition customer and believe this vulnerability has been exploited in your organization, please call Coalition Claims toll-free at +1 833.866.1337.