2 min

Tags in this article

, , , ,

Microsoft is enabling a new security feature to protect users from on-premise servers that have not updated their security.

Microsoft is enabling a new system for Exchange Online that will automatically start throttling and blocking emails sent from “persistently vulnerable Exchange servers” that have gone without necessary security updates for 90 days.

The new feature was announced in a blog post from Microsoft’s Exchange Team on March 23. “As we continue to enhance the security of our cloud, we are going to address the problem of email sent to Exchange Online from unsupported and unpatched Exchange servers”, the team writes.

Also read: Microsoft “strongly urges” admins to update their Exchange Servers

Enabling a “Transport-based Enforcement System”

To address this problem, Microsoft says it enables a transport-based enforcement system in Exchange Online with three primary functions: reporting, throttling, and blocking. The system is designed to alert an admin about unsupported or unpatched Exchange servers in their on-premises environment that need remediation (upgrading or patching). The system also has throttling and blocking capabilities, so if a server is not remediated, mail flow from that server will be throttled (delayed) and eventually blocked.

A staged process

Microsoft says it is taking “a progressive enforcement approach” which will gradually increase throttling emails from unpatched servers over time. Blocking will also occur gradually, culminating in blocking 100% of all non-compliant traffic, the company says.

The staged “enforcement actions” are: increase throttling, add blocking, increase blocking, full blocking. These will be introduced until the “vulnerable” server is remediated (i.e., updated or removed from service).

Microsoft has sent a Message Center post to all Exchange Server customers directing them to the blog post explaining the new enforcement feature. The company says it will also send targeted Message Center posts to “un-remediated” server customers 30 days before their version of Exchange Server is included in the enforcement system.