Microsoft is introducing a transport-based enforcement system in Exchange Online that will throttle and block emails from old Exchange Servers. The company explained that this change aims to encourage organizations to upgrade to a supported version of Exchange Server.
Microsoft has found that thousands of on-premises customers are running outdated versions of Exchange Servers. The list includes Exchange 2007, Exchange 2010, and Exchange 2013 which will become unsupported next month. Moreover, unpatched Exchange 2016 and Exchange 2019 servers are also persistently vulnerable to known attack vectors, including the Hafnium hacks that started in March 2021.
Microsoft plans to address the problem by implementing a transport-based enforcement system in Exchange Online on June 26, 2023. Initially, it will report, throttle, and block messages sent from Exchange 2007 Servers over an inbound OnPremises type of connector. However, the change will not impact emails coming from unsupported servers via a different pathway.
“The system is designed to alert an admin about unsupported or unpatched Exchange servers in their on-premises environment that need remediation (upgrading or patching). The system also has throttling and blocking capabilities, so if a server is not remediated, mail flow from that server will be throttled (delayed) and eventually blocked,” the Exchange team explained.
Microsoft plans to implement the enforcement in a progressive manner to include other Exchange Server versions. The company will begin notifying all customers with vulnerable servers that they will be subject to throttling within 60 days. The enforcement process will be divided into 30-day chunks that involve reporting, throttling, and blocking.
Microsoft will be implementing a progressive enforcement plan to cover other versions of Exchange Server. All customers with vulnerable servers will receive a notification that throttling will be applied within 60 days. This enforcement process will be divided into 30-day chunks, involving reporting, throttling, and blocking.
Microsoft urges organizations to upgrade/patch their vulnerable on-premises servers. However, the company is aware that this change may cause disruptions in business workflows. It will allow IT admins to request a temporary enforcement pause for up to 90 days per calendar year. For customers who continue to use outdated on-premises Exchange Servers, the blocking process will resume from the same point where it was paused.
Microsoft plans to hold an AMA session to inform customers about these changes on May 10, 2023, at 9 AM PT. If you’re interested, you can register for the event on the Exchange Events website.