Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Application Security

DHS Gives Federal Agencies 5 Days to Identify Vulnerable MS Exchange Servers

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a supplemental directive requiring all federal agencies to identify

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a supplemental directive requiring all federal agencies to identify vulnerable Microsoft Exchange servers in their environments within five days.

Providing additional direction on the implementation of CISA Emergency Directive 21-02, which on March 3 requested federal agencies to take the necessary steps to disconnect and update Exchange servers, the new directive demands agencies to accelerate the mitigation process.

The new requirements are meant to complement the initial directive and apply to all operational Exchange servers that are either hosted by or on behalf of federal agencies and which had been connected to the Internet “at any time since January 1, 2021.”

CISA says that federal agencies did respond to the Emergency Directive and triaged and updated Exchange servers hosted in the federal enterprise, but also notes that the new directions are meant to help identify possibly undetected compromise.

“Since the original issuance of ED 21-02, Microsoft has developed new tools and techniques to aid organizations in investigating whether their Microsoft Exchange servers have been compromised. CISA also identified Microsoft Exchange servers still in operation and hosted by (or on behalf of) federal agencies that require additional hardening,” CISA said in an advisory.

Per the new directive, federal agencies are required to download and scan their environments with the latest version of Microsoft Safety Scanner (MSERT) within the next five days (by 12:00 pm Eastern Daylight Time on Monday, April 5, 2021), and report to CISA the results of the scans.

Then, the agencies should repeat the process weekly for the following four weeks, but only report any possible indicators of compromise discovered.

Advertisement. Scroll to continue reading.

“MSERT only scans when manually triggered and it is updated frequently. Agencies must download the latest version of this tool before each scan. Running MSERT in Full Scan mode may cause server resource utilization to peak. Accordingly, CISA recommends agencies run the tool during off-peak hours,” CISA warns.

By April 5, agencies are also required to download and run the Test-ProxyLogon.ps1 script, as administrator, which should help identify potential attacker activity by analyzing Exchange and IIS logs. All results should be reported back to CISA.

“This script checks targeted exchange servers for signs of the proxy logon compromise described in CVE-2021-26855, 26857, 26858, and 27065. This script is intended to be run via an elevated Exchange Management Shell,” CISA explains.

The supplemental direction also provides a series of hardening requirements that federal agencies should implement by 12:00 pm Eastern Daylight Time on Monday, June 28, 2021, and which include the use of firewalls, applying software updates, ensuring that all software is still supported by vendors, and applying the principle of least privilege to minimize impact of compromise.

Related: Ransomware Gangs Targeting Vulnerable Exchange Servers

Related: Microsoft Defender Protects Against Ongoing Exchange Attacks

Related: Microsoft Ships One-Click Mitigation for Exchange Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...