By Need

By Industry

By Function

Cybersecurity & Risk Management

One Script to Mitigate, Scan for Malware, & Repair On-Premises Exchange Servers!

By Randy Becker, CISO & VP, Network and Security Consulting

Microsoft just released a new PowerShell script called the Exchange On-premises Mitigation Tool (EOMT). https://github.com/microsoft/CSS-Exchange/tree/main/Security#exchange-on-premises-mitigation-tool-eomt.

This single script will automatically grab necessary downloads and dependencies for mitigation and malware scan, and reverse changes made by known threats.


How Does the Exchange On-premises Mitigation Tool Work?

For this to work, the script assumes your Exchange servers have secure outbound access to Microsoft. The tool will automatically perform the following and make everyone’s lives a lot easier by quickly implementing a mitigation. How the script works:
• Automatically mitigates against current known attacks using CVE-2021-26855 using a URL Rewrite configuration.
• Runs a malware scan of the Exchange Server using the Microsoft Safety Scanner.
• Attempts to reverse any changes made by identified threats.

Visual of how the EOMT works
Microsoft Exchange On-Premises Mitigation Tool

As directed by Microsoft: as with any tool, you should understand the following before running:

Who should run the Exchange On-premises Mitigation Tool?

Situation

Guidance

If you have done nothing to date to patch or mitigate this issue.

Run EOMT.PS1 as soon as possible. This will both attempt to remediate as well as mitigate your servers against further attacks. Once complete, follow patching guidance to update your servers on http://aka.ms/exchangevulns

If you have mitigated using any/all of the mitigation guidance Microsoft has given (Exchangemitigations.Ps1, Blog posts, etc.)

Run EOMT.PS1 as soon as possible. This will both attempt to remediate as well as mitigate your servers against further attacks. Once complete, follow patching guidance to update your servers on http://aka.ms/exchangevulns

If you have already patched your systems and are protected, but did NOT investigate for any adversary activity, indicators of compromise, etc.

Run EOMT.PS1 as soon as possible. This will attempt to remediate any existing compromise that may not have been fully remediated before patching.

If you have already patched and investigated your systems for any indicators of compromise, etc.


No action is required

If you would like strategic direction to strengthen your security stance, reach out to your GreenPages Account Executive who can connect you with a Security Engineer or reach out to us!

Randy Becker

VP and Principal Security Architect

At Blue Mantis, Randy responsible for the leadership of the offensive security team. Randy provides leadership for the cyber security practice and advising our customers on how to better protect their assets while reducing risk. With strong expertise in offensive security, cyber security and risk management; cloud security, security consulting, operations, and optimization; infrastructure modernization; and hybrid cloud architecture, design, and implementation. Randy’s security certifications include OSEP, OSCP, CISSP, and CCNP.

Working closely with clients, he regularly designs and implement security solutions that enable organizations to effectively shrink their attack surface in an increasingly dangerous, dynamic cyber security landscape. In addition to preemptive maneuvers, he also develops cyber security strategies to help clients contain, combat, and remediate threats where they appear – while ensuring that both industry-specific and federal compliance mandates are met.