Time To Ditch Exchange Server for Exchange Online?

"The exploitation of Exchange server vulnerabilities has been a favorite of cybercriminals looking to get into targeted infrastructure since Q1 2021...The past year’s vulnerabilities have made [Exchange servers] perfect targets... so they should be carefully audited and monitored for hidden implants" - Pierre Delcher, Kaspersky security researcher comments.

Microsoft is well aware of the problem Kaspersky highlights - postponing the next version of Exchange from 2021 to 2025, so there's more time to beef up security in response to "state sponsored threat actors targeting on-premises Exchange servers."

What has Microsoft been doing with that extra development time? It released out-of-band security updates, created a one-click migration tool that's now part of Exchange Server, added AMSI (Anti-Malware Scan Interface) integration and made it easier to install security updates. But that may not be enough.

If you currently run your own Exchange server, it's worth seriously considering whether to switch to Exchange Online, the Microsoft hosted version that often comes bundled with Microsoft 365. Besides generous storage quotas, Exchange Online makes security Microsoft's problem to a large extent. 

You are still have some responsibilities, such as keeping offsite backups of your emails. That doesn't have to be difficult. Our Veeam-based cloud backup service is able to backup almost anything to the cloud, including Exchange Online data. 

Many organisations have already made the switch to Exchange Online. To give you one example, a customer of ours made the switch, finding they no longer had to worry about upgrading their Exchange Server. They saw a noticable bump in mail quotas and they put an end to fiddly PST file archiving.

We have also switched from a self-hosted Exchange server to Exchange Online ourselves. To be blunt, no-one in IT - and no-one outside IT - misses our old Exchange server.

Despite Microsoft's best efforts, on-premises Exchange servers are going to remain a major target for hackers as they are used by many large, high-profile organisations able to pay significant ransoms - directly and through cyber-insurance.

If you want to keep your own Exchange server but limit the damage an Exchange compromise would do, one option is to implement Zero-Trust Network Access, so hackers will find it more difficult to use a compromised Exchange Server to attack other servers and devices on your network.

Exchange is under attack and will likely remain under attack. That doesn't have to be your problem.