was having a normal Tuesday (March 2nd, 2021) in the IT Managed Services world until I got home and noticed many mobile notifications for Exchange server vulnerabilities (CVE-2021-26855 and CVE-2021-26857). My first reaction was Organizations should have already moved to Microsoft 365 or Exchange Online. Microsoft Exchange Server 2019, Exchange Server 2016, Exchange Server 2013 were all affected by vulnerabilities, but not Exchange Online. I thought, “This should be a wake-up call to plan your migration to Microsoft 365 now and to stop postponing the inevitable.  

To give some background into the Exchange server vulnerabilities, the vulnerabilities were identified by a Virginia-based firm called Volexity on Jan. 6th, 2021 from malicious traffic that had happened 3 days prior. The vulnerabilities are said to leave a backdoor via a module used to store voicemails and faxes. According to Daniel Krebs, the vulnerabilities have “been in the Microsoft Exchange Server code base for more than ten years.” So, for years, this vulnerability potentially could have been exploited.  

In the middle of 2017, Office 365 or Microsoft 365, which includes Exchange online, was launched, and as I mentioned before wasn’t affected by this vulnerability. Microsoft and many other software providers have been pushing organizations to use Software as a Service (SaaS) based subscription plans for a while, and if you want to avoid future vulnerabilities it is in your organizations best interest to start subscribing to SaaS-based solutions. Organizations should be looking at configuring their software solutions to achieve max productivity where at all possible, instead of having to manage infrastructure. Moser Consulting’s Managed Services team has assisted many clients with their migrations to Microsoft 365, and we would be a happy to support you in your organization’s migration! 

Download our solutions brief to learn how Moser has helped other organizations with Microsoft 365, Exchange and the challenges you face in this area. 

References: 

http://go.moserit.com/Microsoft365

https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ 

https://krebsonsecurity.com/2021/03/a-basic-timeline-of-the-exchange-mass-hack/