After the first workaround for an Exchange zero-day vulnerability was ineffective and Microsoft made improvements, the manufacturer has again presented a correction.
Exchange administrators can’t rest: After an initial workaround for an actively attacked zero-day vulnerability in Exchange did not protect correctly and Microsoft published an updated set of rules, the manufacturer once again presented an updated rule. Microsoft advises administrators to remove the previously created rule and use a new one.
In the updated Microsoft Countermeasures Guide, the company explains that the new request block rule to be created for Autodiscover is the string .*autodiscover\.json.*Powershell.* shall receive. Administrators should select the “Regular Expression” option under “Using” and “Abort Request” for “How to block”. What is new now is to select the newly created rule and click on “Edit” under “Conditions”. In the “Condition Input” field, administrators should enter the character string {URL} in {UrlDecode:{REQUEST_URI}} change.
Other countermeasures
To better protect against attacks on the vulnerability, IT managers should also disable remote PowerShell access for non-administrators. In the update, Microsoft makes it very clear that administrators should implement both measures, i.e. creating the rule and revoking remote PowerShell access.
For Exchange installations in which the administrators have activated the Exchange Emergency Mitigation Service (EEMS), Microsoft has already distributed the updated rule again. Administrators do not have to take action here. Without this service, admins can either use the also adapted EOMTv2 script with version number 22.10.05.2304 to automatically enter the rule or create the rule completely manually.
It is to be hoped that the current set of rules will work against active attacks without further changes and that Microsoft will soon be able to provide a software update that correctly closes the security gaps.