The threat outlook for on-premises Microsoft Exchange servers has shifted from “constant monitoring” to “imminent threat.” In a new joint advisory, the NSA, CISA, the FBI, and international partners (ASD’s ACSC and CCCS) have issued a stark warning: Exchange environments are continuously targeted by nation-state actors and cybercriminals.

With the release of this guidance, it is clear that basic patching is no longer sufficient. To secure the operational core of your organization’s communications, you must implement a defense-in-depth strategy—one that often requires looking beyond native controls. While the advisory provides an excellent baseline, robust security architectures benefit from third-party layers, such as F5 for network traffic inspection and Messageware for specialized Exchange protection and monitoring.

Instant detection of emerging threats for Exchange Server

FREE FOR 30 DAYS →

FEATURED SECURITY PRODUCT, powered by Messageware

Here’s a summary of the critical measures outlined in the advisory.

1. Urgent: End-of-Life Migration to Exchange SE

Microsoft Exchange Server 2019 and 2016 reached their End-of-Life (EOL) on October 14, 2025. Running unsupported software is a primary vector for compromise, as vulnerabilities discovered after this date will remain unpatched.

Organizations must migrate to Microsoft Exchange Server Subscription Edition (SE) immediately. This is now the sole supported on-premises version. If immediate migration isn’t possible, the advisory explicitly recommends isolating the legacy server from the open internet and using a secure email gateway—though this is a temporary stopgap, not a solution.

2. New Protection Layers: Extended Protection & Emergency Mitigation

Administrators often overlook two automated defense mechanisms that significantly raise the bar for attackers:

  • Extended Protection (EP): This feature defends against “Adversary-in-the-Middle” (AitM) and relay attacks by using Channel Binding Tokens (CBTs). It links user authentication to a unique TLS session, ensuring that even if credentials are intercepted, they cannot be replayed elsewhere.
  • Emergency Mitigation (EM) Service: This service automatically installs interim mitigations (such as IIS URL Rewrite rules) to block specific patterns of malicious HTTP requests. While not a replacement for security updates, it serves as a critical automated shield between the discovery of a vulnerability and the release of a patch.

3. Authentication Overhaul: Modern Auth, Kerberos, and Deprecating NTLM

Legacy protocols are a playground for attackers. The advisory calls for a complete overhaul of how Exchange handles identity:

  • Adopt Modern Authentication: Move away from Basic Authentication to Modern Auth (OAuth 2.0). This is a prerequisite for enabling Multi-Factor Authentication (MFA), which is non-negotiable in the current threat environment.
  • Shift to Kerberos: Organizations must identify third-party software and configurations relying on NTLM and upgrade them to support Kerberos.
  • The End of NTLM: NTLMv1 should already be disabled. However, organizations should now be auditing NTLMv2 usage with the goal of deprecating it entirely, as Exchange Server SE is making Kerberos the default.

4. Transport Security: HSTS, MTA-STS, and DANE

Securing the connection is just as important as securing the server.

  • HSTS (HTTP Strict Transport Security): You must configure HSTS to force web browsers to connect to Outlook on the Web and the Exchange Admin Center (EAC) only via encrypted HTTPS, mitigating protocol downgrade attacks.
  • MTA-STS and DANE: These standards secure email transport between mail servers. Crucial Note: On-premises Exchange does not support these natively. To comply with these best practices, you must route outbound email through a third-party gateway or external service that supports these standards.

5. Anti-Spoofing: P2 FROM Detection & Download Domains

Two specific features address the integrity of the user experience and sender identity:

  • P2 FROM Header Detection: As of the November 2024 Security Update, Exchange can detect when the sender address displayed to the user (P2) does not match the actual sender (P1). This default setting flags spoofing attempts and should never be disabled.
  • Download Domains: This feature mitigates Cross-Site Request Forgery (CSRF). By loading attachments from a different subdomain than the one used for the Outlook web interface, you prevent malicious attachments from stealing browser authentication cookies.

6. PowerShell Security: Certificate-Based Signing

PowerShell is a potent tool for admins, but also for attackers. To prevent unauthorized manipulation of administrative commands, Exchange now utilizes Certificate-Based Signing for PowerShell serialization payloads.

  • The Requirement: All Exchange servers in your network must use the same active Exchange Server Auth Certificate to sign this data.
  • Access Control: Disable remote PowerShell access for any user account that does not strictly require it to reduce the attack surface.

7. Advanced Configuration: RBAC Split Permissions

A common fatal flaw in Exchange deployments is using highly privileged Active Directory (AD) Domain Admin accounts to manage Exchange. If that account is compromised, the attacker owns the entire domain.

The Fix: Implement Role-Based Access Control (RBAC) with Split Permissions. This separates the management of Active Directory principals from Exchange data. By uncoupling these duties, an Exchange server compromise does not automatically lead to a total domain takeover.

8. Enhanced Malware Defense: AMSI, ASR Rules, and App Control

Standard antivirus is no longer enough. You must integrate Exchange with the deeper defensive capabilities of the Windows OS:

  • AMSI (Antimalware Scan Interface): This allows your security solutions to inspect content sent to Exchange via HTTP requests in real-time.
  • ASR (Attack Surface Reduction): Specifically, enable the rule to “Block Webshell creation for Servers.” Webshells are the primary persistence method for Exchange attackers.
  • App Control: Use AppLocker or App Control for Business to enforce “deny-by-default” policies, ensuring only approved executables and scripts can run on the server.

9. Compliance: Security Baselines

Don’t guess at your configurations. The advisory urges organizations to adopt authoritative security baselines to ensure a consistent, hardened posture.

Adhering to these documented standards not only tightens security but simplifies compliance auditing.

10. Zero Trust Principles: Applied to Exchange

Finally, the advisory emphasizes that all the measures above are components of a Zero Trust architecture.

  • Assume Breach: Operate under the assumption that threats are already inside the network.
  • Verify Explicitly: Every access request—whether from a user or a server—must be authenticated and authorized.
  • Least Privilege: Limit access rights for users and administrators to the bare minimum required to function.

The “set it and forget it” era of Exchange Server management is over. The threats are persistent, and the adversaries are sophisticated. By implementing these 10 measures, you align your organization with the highest standards of cybersecurity recommended by NSA and CISA, significantly reducing the risk of becoming the next headline. However, to address the remaining security gaps that native configurations cannot fully mitigate, active third-party defense is essential.

Messageware’s solutions are designed to bridge these gaps by adding intelligent, Exchange-aware protection. Our Exchange Protocol Guard (EPG) integrates with dynamic threat feeds to detect and stop password-guessing attacks and long-term reconnaissance, blocking malicious connections before they reach your server. 

The full security advisory can be found here: CISA Microsoft Exchange Server Security Best Practices

Fortify Your Server with Messageware Security

Data breaches have increased by 72%, servers are compromised in under 90 minutes. Ensure you have multiple layers of security software protecting your Windows Servers.

Z-Day Guard for All Windows Servers: Next-gen server protection, providing detection, alerting, and response (MDR) to zero-day and server penetration cyber-attacks. Leverages embedded monitoring technology that cannot be turned off by malicious software. No need to research complicated deployments and no learning curve to install and manage.

EPG Guard for Exchange Servers: Real-time security. Stop AD account lockouts, eliminate password attacks, intelligent GEO blocking, and prevent Exchange Server vulnerability probing.

Don’t leave your critical infrastructure vulnerable, be proactive and stay ahead of evolving threats.