Proxylogon Vulnerabilities – Next Steps

Non-Technical Advice

The vulnerabilities described on this and the previous pages are known as the Proxylogon vulnerabilities affecting various versions of the ‘on-premises’ Microsoft Exchange email server (2013, 2016 and 2019). If you have a Microsoft Exchange email server on-site (rather than in the ‘cloud’ through Microsoft 365) you may be at risk of being exploited by these vulnerabilities.

While this is a collection of four vulnerabilities, the highest risk vulnerability has been independently scored as posing a critical risk to most organisations.

IMPORTANT: While SEROCU are notifying organisations of this vulnerability, the team will NOT be asking for any information or other details. They will only be providing information. Any unsolicited contact claiming to be from the Police should always be treated with caution. For more information read about Verifying Authenticity.

What to do now

1) Verify these Vulnerabilities Exist for You

We understand that you may not come from a technical background. You may need to discuss this vulnerability notification with your ICT team or provider. We have also provided technical information for them, which can be read on the technical information pages for this vulnerability. If you do not have an ICT team or existing provider, we can signpost you to appropriate assistance (see Step 5 – Plan to Resolve these Vulnerabilities).

The key steps should be:

  • Do you use the Microsoft Exchange server on your premises or on the premises of a supplier (rather than cloud-based M365)?
  • If yes, what version are you running – have you installed all available patches and updates?

2) Establish if these Vulnerabilities have already been exploited on your systems

If these vulnerabilities are present within your systems, it is then important to establish whether criminals have already taken advantage of these in preparation for an attack on you. History shows us that cyber-criminals often loiter in the systems of their victims for a period which may be days to months before a visible attack happens.

The Operation Configured team do not have any information or intelligence to indicate whether or not your organisation has or has not been compromised as a result of these vulnerabilities.

How you detect this depends on the nature of your systems and it is highly likely you will need advice from your ICT team or provider to work this out. It requires detailed review of your computer logs for clues or ‘Indicators of Compromise’, as described by the Microsoft guidance:

If you believe your systems have been compromised, please read our advice on reporting cybercrime:

3) Establish the Threat, Risk and Harm these Pose

Not every vulnerability will pose the same risk to all organisations. The level of risk this presents you should be used to influence how you move forward resolving these vulnerabilities – in particular, the speed at which you do this.

The Threat – is what may happen. In this case, that means the exploitation of these vulnerabilities.

The Harm – is the likely adverse consequence of the threat actually happening. The question you need to ask yourself is: “Based on what I have read about this, what are criminals likely to be able to do to my organisation if they do exploit these vulnerabilities – what harm will this cause?” Harm may manifest itself in many ways – financial, operational, personal, etc… The harm may be direct or indirect – for example, there may be obvious financial harms (cost of responding to and resolving an incident, lost revenue, etc…) as well as further organisational harms such as regulatory fines.

Consequences of ignoring or choosing not to resolve these vulnerabilites may include, but are not limited to:

  • Theft of your data
  • Corruption of your backups
  • Using you to attack others you work with, damaging your reputation
  • Destruction of your data
  • Ransomware attack against your systems
  • Fines from regulators such as the Information Commissioner’s Office (ICO)
  • Your organisation ceasing operations because of system failure, reputational damage or financial losses

The Risk – this is the likelihood the threat will occur. It may well be that you are confident this vulnerable system is well protected through other measures and the risk is low as a result. It is important you understand the risk in the context of your organisation and your systems. Determining the acceptable degree of risk is a skill in itself and underestimating the risk can have catastrophic consequences for your organisation.

Risk may be measured for each potentially vulnerable system, as well as an overall assessment of risk.

There are two common methods to assessing risk – quantitative (based on measurable data) and qualitative (descriptive). Qualitative is often used if there is insufficient data to make a quantitative assessment or for screening risk, and can often be demonstrated on a risk assessment matrix such as this:

4) Isolate and Mitigate the Immediate Risk

You may not be able to immediately resolve these vulnerabilities – this is something highly dependent on the nature of your systems and organisation and the availability of a fix for these vulnerabilities. Your technical team are likely to want the opportunity to develop an understanding of how best to resolve these vulnerabilities including any potential adverse consequences. Even installing a patch can sometimes have knock-on effects on other systems.

Because of this, it is important to explore how best to mitigate the immediate risk – can it be removed or reduced, at least temporarily, until the bigger issue is resolved. This often means isolating the affected system so that it cannot talk to other parts of the network – and probably cutting it off from the public internet. Doing this quickly may prevent a serious attack in the very near future.

However, it is also important that you work with your technical team to explore the implications of implementing any mitigations. It may be quicker, easier and safer overall to fully fix the vulnerabilities from the outset.

The key mitigation for these vulnerabilities involves patching and updating the Microsoft Exchange server you have or use. Because the server is an email server, other mitigations such as disconnecting can only be very short-lived solutions while exploring and resolving the problem.

5) Plan to Resolve these Vulnerabilities

It is essential that you work with your ICT team to identify why the Microsoft Exchange email server has not yet been updated with the patches which solve these vulnerabilities. There may be deeper issues such as the technical specification of your server, the licence version you hold or interoperability with other software you use that have so far held-back these updates. However, the critical nature of these vulnerabilities should drive you to consider applying the patches sooner rather than later, even if some other processes or upgrades have to follow afterwards.

Getting Help to resolve a Vulnerability

We understand that not all organisations have an in-house ICT team or an existing relationship with an external provider who can support them in dealing with these and other vulnerabilities. If you need assistance, please see here for more information.

6) Plan for the Future

The final phase of responding to this notification is learning. This is an opportunity for your organisation to improve things and become independently proactive in identifying and resolving this kind of problem. A cyber attack is one of the most likely adverse incidents to face any organisation in the modern world and requires a dedicated strategy, ownership at a strategic level and a plan for regular review with iterative improvement.

For more guidance:

Disclaimer: The advice provided on this website is for general information only and is not intended to replace specific professional advice relevant to your organisation. Information on the website is not comprehensive and may not reflect the most recent legislation, practice, advice or application to your specific circumstances.
The South-East Regional Organised Crime Unit (SEROCU) does not accept any responsibility for any loss which may arise from reliance on information or materials published on this website.  It is not responsible for the content of external internet sites that link to this site or which are linked from it.