Microsoft announced that some of the Exchange Server flaws addressed as part of the August 2022 Patch Tuesday also require admins to manually enable Extended Protection (EP) on affected servers to fully block attacks. The EP feature enhances Windows Server auth functionality to mitigate “man in the middle” attacks. The company patched 121 flaws as part of this update including the DogWalk Windows zero-day and several critical severity Exchange vulnerabilities. Remote attackers can exploit these Exchange bugs by tricking targets into visiting a malicious server using phishing emails or chat messages.
The Exchange Server Team stated they are not aware of any active exploits in the wild, but they still recommend installing the new updates in addition to manually enabling EP to protect environments. It is important to remember that EP is only supported in specific versions of Exchange. Microsoft has provided a script to enable this feature, but admins have been advised to evaluate their environments and review the issues mentioned in the script documentation before enabling it. Exploitation is more likely for Exchange Server 2013 CU23, Exchange Server 2016 CU22/CU23, and Exchange Server 2019 CU11/CU12. Analysis shows that the exploit code can be consistently exploited making it a very attractive target for attackers.