There are several instances in the recent past where Exchange Servers were under attack. Some of these include the Hive "windows.exe" ransomware case from 2022, followed by a couple of 0-day attacks later in the year, among others. Earlier this year, in order to improve security, Microsoft recommended removing certain objects from the exclusion list. This followed January's update which improved PowerShell payload security.
Microsoft has today updated a Tech Community blog post where it has shared details on how it is protecting against unsupported, unpatched Exchange Servers. These servers are vulnerable since they no longer receive updates, including those for security.
Microsoft says that it is enabling a transport-based enforcement system (TES) in Exchange Online. In case you are wondering how transport-based enforcement systems function, it will basically help to throttle or delay emails from unpatched servers until they are remediated. In case there is no upgrade to the vulnerable server, the email flow will consequently be blocked. In its blog post, Microsoft explains:
To address this problem, we are enabling a transport-based enforcement system in Exchange Online that has three primary functions: reporting, throttling, and blocking. The system is designed to alert an admin about unsupported or unpatched Exchange servers in their on-premises environment that need remediation (upgrading or patching). The system also has throttling and blocking capabilities, so if a server is not remediated, mail flow from that server will be throttled (delayed) and eventually blocked.
We don’t want to delay or block legitimate email, but we do want to reduce the risk of malicious email entering Exchange Online by putting in place safeguards and standards for email entering our cloud service.
The blog post also contains more details about the topic. You can read it on Microsoft's official website.