One Script to Mitigate, Scan for Malware, & Repair On-Premises Exchange Servers!
By Randy Becker, CISO & VP, Network and Security Consulting
Microsoft just released a new PowerShell script called the Exchange On-premises Mitigation Tool (EOMT). https://github.com/microsoft/CSS-Exchange/tree/main/Security#exchange-on-premises-mitigation-tool-eomt.
This single script will automatically grab necessary downloads and dependencies for mitigation and malware scan, and reverse changes made by known threats.
How Does the Exchange On-premises Mitigation Tool Work?
For this to work, the script assumes your Exchange servers have secure outbound access to Microsoft. The tool will automatically perform the following and make everyone’s lives a lot easier by quickly implementing a mitigation. How the script works:
• Automatically mitigates against current known attacks using CVE-2021-26855 using a URL Rewrite configuration.
• Runs a malware scan of the Exchange Server using the Microsoft Safety Scanner.
• Attempts to reverse any changes made by identified threats.
As directed by Microsoft: as with any tool, you should understand the following before running:
- The Exchange EOMT is only effective against known attacks and is not guaranteed to mitigate all possible future attack techniques. This is a temporary mitigation until your Exchange servers can be fully updated as outlined in Microsoft’s previous guidance.
- Microsoft recommends this script over the previous ExchangeMitigations.ps1 script as it is based on the latest threat intelligence. If you have already started with the other script, it is fine to switch to this one.
- This is a recommended approach for Exchange deployments with Internet access and for those who want to attempt automated remediation.
- So far, Microsoft has not observed any impact to Exchange Server functionality when using this tool.
Who should run the Exchange On-premises Mitigation Tool?
Situation |
Guidance |
If you have done nothing to date to patch or mitigate this issue. |
Run EOMT.PS1 as soon as possible. This will both attempt to remediate as well as mitigate your servers against further attacks. Once complete, follow patching guidance to update your servers on http://aka.ms/exchangevulns
|
If you have mitigated using any/all of the mitigation guidance Microsoft has given (Exchangemitigations.Ps1, Blog posts, etc.) |
Run EOMT.PS1 as soon as possible. This will both attempt to remediate as well as mitigate your servers against further attacks. Once complete, follow patching guidance to update your servers on http://aka.ms/exchangevulns
|
If you have already patched your systems and are protected, but did NOT investigate for any adversary activity, indicators of compromise, etc. |
Run EOMT.PS1 as soon as possible. This will attempt to remediate any existing compromise that may not have been fully remediated before patching.
|
If you have already patched and investigated your systems for any indicators of compromise, etc. |
|
If you would like strategic direction to strengthen your security stance, reach out to your GreenPages Account Executive who can connect you with a Security Engineer or reach out to us!