The SpearTip Security Operations Center team is actively tracking two disclosed Microsoft Exchange Server vulnerabilities:
Threat actors are currently taking advantage of these vulnerabilities and we expect continued high levels of exploitation until patches are applied. Currently, there is a workaround available that SpearTip recommends using until a fix is provided by Microsoft. This workaround can be implemented by following the following steps:
To block attack attempts, add a new URL rewrite rule in IIS Server:
- In Autodiscoverat FrontEnd select tab URL Rewrite, select Request Blocking
- Add string “.*autodiscover\.json.*\@.*Powershell.*” to the URL Path
- Set condition input to: Choose {REQUEST_URI}
Furthermore, SpearTip recommends verifying if the exchange server has already been impacted by these vulnerabilities by using the following Powershell command:
- Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover\.json.*\@.*200’
SpearTip will continue to monitor the situation surrounding both CVE’s and provide updates as additional information becomes available.
Please visit the MITRE page for these vulnerabilities for additional information and updates: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-41040
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.
