It’s Time to Say Goodbye to On-Premises Microsoft Exchange

Microsoft Exchange was once the gold standard of business email, powering calendars, contacts, and communications across millions of offices. Installing it on your own servers meant control. It meant reliability. It meant your business had a professional-grade system just like the Fortune 500 companies.

For small and midsize businesses (SMBs), Exchange delivered affordability, familiarity, and tight integration with the Microsoft ecosystem that most everyone already used. But the world has changed, and Exchange hasn’t kept up.

If cyber attackers had a “most wanted” list of exploitable technologies, on-premises Exchange would be near the top. Exchange servers have been plagued by vulnerabilities and configuration issues for years, and businesses that expose their on-prem Exchange servers to the public internet are significantly more likely to experience a cyber incident.

Now, to make matters worse: Microsoft will soon end its support for Exchange 2016 and 2019. That means no more security updates. No more patches. No more safety net. Any vulnerability discovered after the end-of-life (EOL) date of October 14, 2025, will remain permanently unpatched and create an open door for eager attackers.

For businesses still clinging to on-prem Exchange, now is the time to migrate to a secure cloud or hosted email solution that’s updated automatically, more resilient to attacks or long periods of interruption, and built for the way we work today.

The legacy of Microsoft Exchange

Exchange was the crown jewel of business productivity in the early 2000s. Running it on your own servers gave you control and reliability; for SMBs, it offered the prestige of enterprise-grade email on a smaller scale. That control came at a cost (dedicated hardware, constant patching, and IT expertise to keep it all humming), but felt worth it at the time.

Fast forward to today, and the equation has flipped. What used to be a sign of control is now a liability. Exchange was built in a world of static networks but now demands relentless maintenance, manual updates, and constant vigilance against threats. Instead of empowering businesses, on-prem email solutions drain resources and expand their attack surfaces.

“These technologies have evolved over time and become interconnected to business applications and processes across the internet, creating more pathways to monitor, assess, maintain, and protect,” said Ryan Gregory, Security Support Center Lead at Coalition. “Now, they require more computational resources, hardware, storage, and security tooling, as well as a skilled workforce to maintain it all.”

Cloud and hosted email solutions deliver the same functionality that Exchange once promised, just without the baggage. Updates happen automatically, security protections are continuously refreshed, and businesses are freed from the grind of babysitting fragile infrastructure.

Exchange hasn’t disappeared yet, but it’s become what legacy technology always becomes: a burden waiting to break.

“These technologies have evolved over time and become interconnected to business applications and processes across the internet, creating more pathways to monitor, assess, maintain, and protect.” — Ryan Gregory, Security Support Center Lead, Coalition

Why Exchange is such a significant risk

Exchange isn’t just a legacy technology: It’s one of the most consistently exploited pieces of software on the internet.

Over the past several years, Exchange has been at the center of major security crises, including vulnerabilities like ProxyLogon and ProxyShell. Thousands of businesses around the world were compromised in these attack campaigns. In many cases, the damage included stolen data, ransomware deployment, and millions in recovery costs.

“After the ProxyLogon and ProxyShell attacks, threat actors found enough ammunition in the way Exchange was built to continue to drive spoofing and remote code execution vulnerabilities that plagued Microsoft at almost a monthly rate,” added Gregory. “This caused increased downtime from patching issues from critical security updates.”

The risk isn’t limited to vulnerabilities, either. Many businesses unknowingly make Exchange even more dangerous by exposing their login pages for email access and administration directly to the public internet so that employees can log in from anywhere. The problem is that attackers are scanning the internet 24/7 for exactly these portals. Once they find them, they can launch brute-force attacks with weak or stolen passwords.

The consequences of an Exchange compromise are painfully real, often leading to attackers stealing sensitive emails, planting ransomware across the network, or siphoning off data to sell on the dark web.

“Exchange reaching EOL is a dream scenario for attackers,” said Tiago Henriques, Chief Underwriting Officer at Coalition. “It’s a technology with widespread adoption, a history of critical weaknesses, and no future fixes.”

Put simply: Exchange isn’t just another outdated tool. It’s a high-value target for attackers, and continuing to rely on it puts businesses directly in the line of fire.

“Exchange reaching EOL is a dream scenario for attackers. It’s a technology with widespread adoption, a history of critical weaknesses, and no future fixes.” — Tiago Henriques, Chief Underwriting Officer, Coalition

What businesses can (and should) do now

If your business still relies on on-prem Exchange, here are the steps that matter most:

• Remove Exchange login pages from the internet: Direct access is the single biggest risk. Move Exchange login panels behind a secure virtual private network (VPN) and ensure multi-factor authentication (MFA) is required for all remote users.

• Apply every patch while they’re still available: Even though support is ending, it’s critical to stay fully patched up until October 14, 2025.

• Monitor your environment: Endpoint detection and response (EDR) tools can help spot suspicious logins or malicious activity tied to Exchange.

• Plan a migration: The long-term solution is moving to a supported platform, like Microsoft 365. Cloud and hosted email aren’t just modern; they’re safer, patched automatically, and less of a management burden.

For businesses that have started their migrations but may not finalize them in time, Microsoft is offering a six-month Extended Security Update (ESU) for Exchange 2016 and 2019 servers. Please note that the ESU is not an extension of the support lifecycle and that you will not be able to open new support cases.

Exchange reaching EOL can be a turning point

Remember: Cyber criminals are opportunists. They don’t waste time on hardened defenses when there are easier doors to walk through. Exposed and unsupported Exchange servers are about to become the easiest door of all.

By locking down Exchange now (or better yet, replacing it altogether), businesses can protect their people, their data, and their bottom line. The end of support for Exchange doesn’t have to be a crisis. It can be the moment your business finally moves forward from legacy technology and embraces a more secure, sustainable future.

This article originally appeared in the September 2025 edition of the Cyber Savvy Newsletter. Subscribe to the newsletter to receive future editions directly in your inbox as we explore the most up-to-date and noteworthy topics in cyber insurance.

This communication is designed to provide general information on the topic presented and is not intended to construe or render legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The statements contained herein are for informational purposes only. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. This communication may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over nor assumes responsibility or liability for the content, privacy policy or practices of any such third-party websites. Any action you take upon the information contained herein is strictly at your own risk. Coalition will not be liable for any losses and damages in connection with your use or reliance upon the information.

Copyright © 2025. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc. All other products and company names are the intellectual property of their respective brand owners.