Microsoft has issued a warning about increased attacks on on-premises Exchange Server and SharePoint Server environments. These attacks, observed through April 2025, allow criminals to gain privileged access to networks, execute code remotely, and steal sensitive data.

Attack Methods Evolve

Attackers now frequently use NTLM relay techniques against Exchange Server. This method exploits weaknesses in the NTLM authentication protocol, capturing and relaying stolen credentials to gain unauthorized access. Recent campaigns specifically target privileged accounts to maximize impact.

SharePoint attacks have become more subtle. Hackers modify legitimate files by adding web shell code to existing pages and installing remote monitoring tools. This creates persistent access that standard security tools struggle to detect.

FEATURED PRODUCT

Stop Zero-Day Attacks Others Miss

Protect Microsoft Servers from zero-day attacks and penetrations that bypass traditional security. Real-time monitoring technology that detects, alerts, and cannot be disabled by malicious software.

START 30-DAY FREE TRIAL →

A notable example is CVE-2024-38094, a SharePoint vulnerability under active exploitation since at least October 2024. This bug allows authenticated attackers with Site Owner permissions to inject and execute arbitrary code.

Key Vulnerability Types

Server-Side Request Forgery (SSRF)

SSRF vulnerabilities let attackers make unauthorized requests through the server, potentially accessing internal services or escalating privileges. By chaining SSRF with other flaws, attackers gain unauthorized backend access and execute code remotely.

Examples include:

  • CVE-2023-29357: A critical SharePoint Server authentication bypass
  • CVE-2022-41040: An AutoDiscover SSRF vulnerability in Exchange Server

Exchange Web Services (EWS) Abuse

Attackers exploit EWS APIs to search and steal emails from compromised mailboxes. They use:

  • GetFolder API to map mailbox structure
  • FindItem API to search for specific content
  • GetItem API to access full email contents and attachments

This API-driven approach blends with legitimate traffic, making detection difficult without deep inspection.

Insecure Deserialization

The PowerShell application pool in Exchange runs with high privileges, making it attractive for attacks. After gaining access to PowerShell endpoints, attackers pass crafted cmdlets that trigger file operations and command execution.

Microsoft’s AMSI Integration

To counter these threats, Microsoft has integrated the Windows Antimalware Scan Interface (AMSI) into both server products. AMSI functions as a security filter in the IIS pipeline, examining incoming HTTP requests, including request bodies, before they reach the application layer.

When AMSI detects threats, it blocks requests in real-time with an HTTP 400 Bad Request response12. This proactive defense works against zero-day vulnerabilities, where attackers strike before patches exist.

The Exchange AMSI body scanning feature arrived with the November 2024 Security Update, while SharePoint Server Subscription Edition Version 25H1 extended scanning to include HTTP request bodies.

Implementation Status

Starting with September 2023 security updates for SharePoint Server 2016/2019 and Version 23H2 for SharePoint Server Subscription Edition, AMSI integration became enabled by default for all SharePoint web applications.

When experiencing compatibility problems with third-party security products, organizations can disable this feature if needed by:

  1. Installing the relevant security updates
  2. Running the SharePoint Products Configuration Wizard
  3. Following standard steps to disable AMSI integration

Microsoft urges organizations running on-premises Exchange or SharePoint servers to:

  1. Apply all security updates immediately
  2. Enable AMSI integration with compatible antimalware solutions
  3. Audit and strengthen NTLM authentication, enabling Extended Protection for Authentication (EPA)
  4. Monitor for suspicious activity like unusual HTTP requests or unauthorized mailbox access
  5. Remove unnecessary services, restrict administrative access, and enforce strong authentication.

As attack methods continue to advance, organizations must implement these measures to protect their critical systems and data.

Strengthen Your Server Security with Messageware

Data breaches have increased by 72%, servers are compromised in under 90 minutes. Ensure you have multiple layers of security software protecting your Windows Servers.

Messageware offers powerful security solutions, including:

Z-Day Guard for All Windows Servers: Next-gen server protection, providing detection, alerting, and response (MDR) to zero-day and server penetration cyber-attacks. Leverages embedded monitoring technology that cannot be turned off by malicious software. No need to research complicated deployments and no learning curve to install and manage.

EPG Guard for Exchange Servers: Real-time security stops AD account lockouts, eliminates brute force password attacks, provides intelligent GEO blocking, and prevents Exchange Server vulnerability probing. Enhance security through real-time collection and analysis of logon information, with advanced reporting, threat detection, and security controls.

Don’t leave your critical infrastructure vulnerable, be proactive and stay ahead of evolving threats.