Update Exchange Server or move to the cloud, say experts

Microsoft Exchange administrators running versions older than March 2023 need to update or they won’t get the latest security mitigations, says an expert.

But, David Shipley added, even better advice is to shift quickly to the cloud-based Microsoft 365, which always has the latest patches.

“Running your own Exchange Server is really a bad idea in 2025,” said Shipley, head of Canadian-based security awareness training provider Beauceron Security. “Anyone not patched to the nines, to the latest standard [today], is asking for trouble.”

[ Related: Is it time to move to hosted Exchange? Considerations for IT ]

Shipley was commenting on last week’s caution from Microsoft that an older Office Configuration Service (OCS) certificate that verified automated downloaded Exchange Server mitigations is being deprecated. The new certificate, which is deployed by the Exchange Emergency Mitigation Service (EEMS), can only be read by servers running Exchange Server Cumulative Updates or Security Updates newer than March 2023.

The Microsoft alert said, “The EEMS running Exchange versions older than March 2023 is not able to contact OCS to check for and download new mitigation definitions. You might see an event like the following event logged in the Application log of the server:

Error, MSExchange Mitigation ServiceEvent ID: 1008An unexpected exception occurred.Diagnostic information: Exception encountered while fetching mitigations.”

In the alert, the company urged admins to take action, saying, “If your servers are so much out of date [pre-March 2023], please update your servers ASAP to secure your email workload and re-enable your Exchange server to check for EEMS rules.” 

The Microsoft blog is “alarming,” said Andrew Grotto, a research scholar at Stanford University’s Centre of International Security and Co-operation and the senior director for cybersecurity policy at the White House in both the Obama and Trump administrations. “It shows how sticky [on-premises] Exchange is.”

Exchange mitigations are essentially hot fixes that plug holes, Shipley explained. Shifting to the software-as-a-service M365 doesn’t solve all security problems for the email service, he acknowledged, but, he added, it does solve the problem of threat actors being able to exploit unpatched or aged versions of the server, because Microsoft installs fixes for Microsoft 365 as soon as it creates them.

It isn’t known how many organizations still run Exchange on-premises, but Shipley said he knows at least one unnamed public service organization currently running Exchange 2013.

Why do IT admins still have old versions of Exchange — or any other software? One reason: To save money on expensive software and hardware updates, Shipley said.

“Legacy infrastructure is the most difficult addiction to kick,” added Roger Cressey, a partner with US-based Liberty Group Ventures and formerly a senior vice-president at the Booz Allen Hamilton consultancy, where he supported the firm’s cybersecurity practice in the Middle East.

Both men stressed that better security is one of the biggest reasons to move to the cloud. This is particularly true for Exchange. It’s been hit by a number of vulnerabilities, including zero-day holes. Arguably the most notorious were the vulnerabilities dubbed ProxyLogon, exploited in 2021 by a Chinese-based group called Hafnium. There was also a chain of vulnerabilities called ProxyShell.

These issues led to the release in September 2021 of Exchange Server updates that included the EEMS, which applies mitigations to the servers until patches are developed.

On-premises Exchange — and not just older versions — should be considered a legacy product, Johannes Ullrich, dean of research at the SANS Institute, said in an email to CSO. “Support from Microsoft is decreasing, and the overall tendency at Microsoft is to push Exchange users to cloud offerings. There is probably no good reason to avoid this push and to migrate to cloud e-mail services as soon as possible. Exchange support is only going to decrease and patching will remain painful.”

Thus, said Cressey, Exchange admins should “move to address” the Microsoft warning.

[ Related: Is it time to move to hosted Exchange? Considerations for IT ]