Microsoft to Throttle Traffic from Legacy Exchange Servers

Microsoft confirmed this week that it will throttle traffic from unsupported and unpatched Exchange servers because of security concerns. The change goes into effect tomorrow, May 10 and it impacts on-premises Exchange servers that connect to Exchange Online.

“There are many risks associated with running unsupported or unpatched software, but by far the biggest risk is security,” the Exchange team explains. “Once a version of Exchange Server is no longer supported, it no longer receives security updates; thus, any vulnerabilities discovered after support has ended don’t get fixed. There are similar risks associated with running software that is not patched for known vulnerabilities. Once a security update is released, malicious actors will reverse-engineer the update to get a better understanding of how to exploit the vulnerability on unpatched servers.”

This change will only impact on-premises servers running Exchange Server 2007 that send mail to Exchange Online, Microsoft’s cloud-hosted email service in a hybrid deployment setup. But it will eventually be extended to all unsupported versions and “persistently vulnerable” instances of Exchange Server. Microsoft describes these servers as persistently vulnerable because they are not patched for known vulnerabilities. But even supported Exchange versions, like Exchange 2016 and Exchange 2019, that are significantly behind on security updates are considered persistently vulnerable, Microsoft says. And that means that traffic from them will be throttled soon too.

This strategy has raised the obvious concern that Microsoft is simply trying to force customers to move to its cloud-hosted services. But the software giant denies this.

“Our goal is to help customers secure their environment, wherever they choose to run Exchange,” the Exchange Server team notes. “The enforcement system is designed to alert admins about security risks in their environment, and to protect Exchange Online recipients from potentially malicious messages sent from persistently vulnerable Exchange servers.”

It also argues that this step is necessary because there has been a “significant increase in the frequency of attacks against Exchange servers over the last few years,” and because “a significant number of organizations don’t install updates or are far behind on updates, and are therefore putting themselves, their data, as well as the organizations that receive email from them, at risk.” Microsoft has no way to contact the admins of these organizations directly, and so it is “using activity from their servers to try to get their attention.”

“Our goal is to raise the security profile of the Exchange ecosystem,” Microsoft says.