M365 Changelog: Awareness of Exchange Server Vulnerability for On-Premises servers

MC244043 – We are sending this notification to raise awareness for customers who may be running Exchange servers in either hybrid or on-premises environments. If you are not in either of those scenarios, you may safely ignore this message.

Please note that the online services included in your Microsoft 365 or Office 365 subscription are not impacted by the announced vulnerabilities.

How this will affect your organization:

If you are running Exchange servers in hybrid or on-premises, we recommend you take immediate action to address the potential vulnerabilities that are affecting Exchange Server 2013, 2016 and 2019.

What you need to do:

Steps to get your Exchange Servers up to date are detailed on our Microsoft Security Response Center (MSRC) blog. We also recommend that your security/IT team or support partner evaluate whether the vulnerabilities were exploited in your environment by using the techniques published on the MSRC blog.

Additional Information:

You can find more information about these attacks in these articles:

• Multiple Security Updates Released for Exchange Server – updated March 8, 2021 – Microsoft Security Response Center
• March 2021 Exchange Server Security Updates – Microsoft Tech Community
• Microsoft On the Issues blog: New nation-state cyberattacks
• Microsoft Threat Intelligence Center blog: Hafnium targeting Exchange Servers with 0-day exploits

If you have issues during the update process, please see: Repair failed installations of Exchange Cumulative and Security updates.