Exchange servers are high-value targets for attackers. If compromised, Exchange servers provide a unique environment that could allow attackers to perform various tasks using the same built-in tools or scripts that admins use for maintenance. This is exacerbated by the fact that Exchange servers have traditionally lacked antivirus solutions, network protection, the latest security updates, and proper security configuration, often intentionally, due to the misguided notion that these protections interfere with normal Exchange functions.
In April, Exchange-specific behavior-based detections in Microsoft Defender ATP showed attackers operating on on-premises Exchange servers using deployed web shells. The attacks used multiple fileless techniques, adding another layer of complexity to detecting and resolving the threats, and demonstrating how behavior-based detections are key to protecting organizations.
Behavior-based blocking and containment capabilities in Microsoft Defender ATP stop many of the malicious activities associated with Exchange server attacks. In addition, endpoint detection and response (EDR) sensors provide visibility into other suspicious and malicious activities on Exchange servers. Detections are reported as alerts. The new alert page presents data in an investigation-driven approach meant to empower SecOps teams to easily investigate and take actions.