Portland, OR, USA - July 19, 2021: The webpage of Microsoft Exch

Exchange Server Emergency Mitigation Service


6th October 2021

5 min read

Exchange Server Emergency Mitigation Service

It has been a tough few months for Microsoft. After the SolarWinds/NOBELLIUM attacks, Microsoft Exchange customers were afflicted with a slew of vulnerabilities. In March 2021, the ProxyLogon vulnerability emerged, followed by an exploit that surfaced in April 2021 called NSA Meeting. In August 2021, Orange Tsai released a series of new vulnerabilities called ProxyOracle and ProxyShell, followed by the discovery of another Proxy flaw, dubbed ProxyToken.

This week, it was revealed that a new Autodiscover flaw could be used to steal user credentials. The Autodiscover flaw was reported by Marco Van Beek to Microsoft in 2016 and was also separately discovered by security researcher Amit Serper. In 2016, Microsoft stated that this was not a “security issue to be serviced as part of our monthly Patch Tuesday process”. However, this is perhaps a sign of Microsoft’s renewed focus on exchange vulnerabilities, as 5 years later Microsoft has stated that it is “continuing to investigate” the issue.


What is the Emergency Mitigation service?

Microsoft has clearly recognised that organisations find it difficult to patch their on-premise servers in time, therefore has released a new feature called the Microsoft Exchange Emergency Mitigation service (EM). Whilst the service is not designed to be a replacement for security updates (SUs), it aims to be the fastest and easiest way to mitigate the highest threats prior to installing the applicable SUs. It will apply a temporary fix until the relevant security update can be applied, which properly fixes the issue.

The new mitigation service is designed to reduce the reliance on manual patches and take a much more proactive approach when threats are discovered. This means that the mitigation service may automatically disable features or functionality on an Exchange server in response to threats. To do this, the EM is set to run as a Windows service that integrates with the cloud-based Office Config Service (OCS). Every hour the Exchange server will check the OCS for any required mitigations. If mitigations are found, they are sent to the Exchange server which will automatically apply the preconfigured settings after verifying the signatures to ensure it has not been tampered with.

There are a number of mitigations that can be applied, but Microsoft has outlined the following actions that can be taken:

  • Disabling an Exchange Service
  • Disabling a virtual directory or app pool, and most importantly;
  • Implementing an IIS rewrite rule to filter malicious HTTPS requests

For this reason, the EM service requires the IIS URL rewrite module v2 to be installed on the Exchange server. This module will now be a pre-requisite to installing Exchange and is included with the September 2021 CU. It will be installed whether you plan to use the EM service or not.

It must be noted that running the service is optional and can be disabled by an admin. Microsoft advises that it should be disabled on Exchange servers without internet connectivity because if it cannot connect to OCS, it will not work.


How to manage the Emergency Mitigation service

There are a number of new commands that have been added to allow administrators to manage the service. These include disabling the service at the organisational level, the Exchange server level, and blocking individual mitigations. Blocked mitigations are added to a blocklist to prevent them from being reapplied in the future, for example:

  • To block mitigations named “M1” and “M2” you can use: Set-ExchangeServer -Identity -MitigationsBlocked @(“M1”, “M2”)
  • To remove M2 from the blocklist where both M1 and M2 have been previously blocked: Set-ExchangeServer -Identity -MitigationsBlocked @(“M1”)
  • Removing all mitigations from the blocklist is a case of issuing: Set-ExchangeServer -Identity -MitigationsBlocked @0
  • Microsoft has included a script with the update called Get-Mitigation.ps1, which can be used to export both the list of applied mitigations and their descriptions: .\Get-Mitigation.ps1 -Identity -ExportCSV “C:\temp\CSVReport.csv”

The EM service is intended to be an interim measure. When mitigations are applied but no longer required (as in the case of a CU or SU update), the admin must manually remove applied mitigation actions to reverse their effects.

If an update patches an issue for which there is mitigation, the mitigation will be removed from the list of available mitigations to download and will also remove itself from the list of applied mitigations. However, the mitigation would remain configured. If the mitigation was to disable a service, the admin will need to manually enable the service again.

In the case of IIS rewrite rules, Microsoft has prefixed these with “EEMS ”, but currently the onus is on admins to track what automatic mitigations have been applied.

  • The following command may help track these mitigations by showing the applied and blocked mitigations across the environment: Get-ExchangeServer -Identity | fl name, MitigationsApplied, MitigationsBlocked
  • Actions taken by the EM service will also be logged and can be searched using Search-AdminAuditLog. An example to search for mitigations applied and blocked in October: Search-AdminAuditLog -Cmdlets Get-ExchangeServer -Parameters MitigationsApplied, MitigationsBlocked -StartDate 10/01/2021 -EndDate 10/31/2021

Overall, this is a welcome step in the right direction for fast automatic patching of vulnerabilities as soon as mitigations are available. The interim nature of the solution does create some headaches for administrators, but given the severity of recent Exchange exploits, this may be a price worth paying for the additional protection.

Sentrium can assist with your security needs, view our penetration testing services for more details or contact us today.


  • Insights
  • Labs
ISO 9001 and ISO 27001

Sentrium Achieves ISO 9001 and ISO 27001 Certifications

In an increasingly digital world, the importance of quality and security cannot be overstated. Sentrium Security Ltd is excited to share our recent achievement –…

What are the different types of penetration testing?

What are the different types of penetration testing?

As digital business becomes more widespread, the need to ensure data security increases. One way to test its effectiveness is through penetration testing. Penetration tests…

OWASP Global Image

OWASP Top 10 2021 Released

The Open Web Application Security Project (OWASP) is a not-for-profit organisation that aims, through community-led open-source projects, to improve the security of web-based software. OWASP…

Using a CREST-Approved penetration testing provider

What is CREST penetration testing and why is it important to use a CREST-approved provider?

Trusting the effectiveness of your IT security controls is crucial to mitigate risks and malicious access to your systems and the information they store. Penetration…

cloud computing technology concept transfer database to cloud. T

How secure use of the cloud can digitally transform your business

Companies that move towards digital transformation can innovate more quickly, scale efficiently and reduce risk by implementing cloud security best practices. Businesses must keep up…

How to prepare your business for secure cloud migration

How to prepare your business for secure cloud migration

The cloud holds a lot of potential for organisations. Moving your IT environment to a secure cloud provides flexibility and agility. It allows your team…

Application Security 101 – HTTP headers

Application Security 101 – HTTP Headers Information Disclosure

Server Header Information Disclosure The most common HTTP header that is enabled by default in most web servers is the ‘Server’ header, which can lead…

SPF, DKIM, DMARC and BIMI for Email Security

SPF, DKIM, DMARC and BIMI for Email Security

Sender Policy Framework Sender Policy Framework (SPF) is a DNS TXT record that is added to a domain that tells email recipients which IP addresses…

Terraform security best practices

Terraform security best practices (2022)

The following sections discuss our most important Terraform security best practices: The importance of Terraform State Terraform must keep track of the resources created. When…

Security vulnerability in Follina exploit

Preventing exploitation of the Follina vulnerability in MSDT

The Follina Exploit A zero-click Remote Code Execution (RCE) vulnerability has started making the rounds which is leveraging functionality within applications such as Microsoft Word.…

Application Security 101 – HTTP headers

Application Security 101 – HTTP headers

1. Strict-Transport-Security The HTTP Strict Transport Security (HSTS) header forces browsers and other agents to interact with web servers over the encrypted HTTPS protocol, which…

Code, HTML, php web programming source code. Abstract code background - 3d rendering

New Exchange RCE vulnerability actively exploited

Exchange admins now have another exploit to deal with despite still reeling from a number of high profile attacks this year including ProxyLogon and ProxyShell.…