Hello, welcome to the Wednesday, March 17th, 2021 edition of the Santernut Stormsterners Stormcast. My name is Johannes Ulrich. And then I'm recording well from virtual San Diego, at least that's where the conference I'm teaching at this week would have happened. Microsoft today published a new One-Click Microsoft

Exchange on-premises mitigation tool. This tool is, as Microsoft says, the quickest way and

easiest way to mitigate the proxy log-on vulnerability on exchange servers.

Now, first of all, there's one thing the tool does not do.

It does not apply the patch, but it does implement other mitigation techniques that Microsoft

outlined before.

For example, there are some IAS rewrite rules and so that can be

used to prevent some of the exploits. This tool will also check if your server is already compromised.

These checks are done based on the type of exploits that Microsoft has seen so far.

So, for example, the tool will look for existing web shells, and it also includes the

latest version of Microsoft Safety Scanner.

Microsoft Safety Scanner, unlike a normal anti-Malver product, is not something that sort of detects a wide range of malware or runs in the background.

It's a tool that you're running on demand to look for specific threats, like in this case, for exploits and backdoors and the like being left behind by common proxy logon exploits.

So you definitely should do a manual scan as well after running the tool, but it's a real good

first tool to run.

It's quick.

It's simple.

And it's likely to find any exploits that were left behind using the proxy log on vulnerability.

So in short, if you are coming across an exchange server that hasn't been patched yet, run this tool first, make sure it hasn't been compromised, and then still apply the patch.

And while sticking with Microsoft for another story yesterday, of course, Microsoft had an

outage of its Azure Active Directory system, and today Microsoft published a pretty nice

and detailed document explaining what exactly happened.

...