What are the Microsoft Exchange Server security best practices?

According to guidance from the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and other international cybersecurity agencies, Exchange environments face continuous targeting and should be considered under imminent threat. A compromised Exchange server can expose sensitive communications, provide attackers with access into a network, and disrupt business operations.

The sophistication of email-based attacks continues to grow. Research published in "Weak Links in Authentication Chains: A Large-scale Analysis of Email Sender Spoofing Attacks" found that attackers can forge "more realistic emails" capable of penetrating even celebrated email services like Gmail and Outlook. The study tested 30 popular email services and 23 email clients, discovering that "all of them are vulnerable to certain types of new attacks." Furthermore, the researchers demonstrated that "by combining different attacks, a spoofing email can completely pass all prevalent email security protocols, and no security warning is shown on the receiver's MUA."

Research published in the academic paper titled Email Security Issues, Tools, and Techniques Used in Investigation reinforces this, noting that "email is one of the most common sources of criminal activity on the Internet" and that "fraudsters often use email as a means to commit fraud or collaborate with their accomplices." The academic paper identifies multiple threat vectors including "fraud email, spamming, bombing, phishing, eavesdropping, message modification, identity theft, repudiation, false messages, and malicious software spread via emails."

TechRadar reported in “Thousands of Microsoft Exchange servers remain unpatched against major threat - here's what to do to stay safe” , almost 30,000 Exchange servers remain unpatched and exposed online following the disclosure of a dangerous, high-severity flaw in hybrid Exchange deployments. The Shadowserver Foundation found that of these vulnerable servers, 7,200 are located in the United States, 6,700 are in Germany, and around 2,500 are in Russia.

The risk has worsened as certain Exchange Server versions have reached end-of-life status, leaving organizations running these versions at risk of compromise. Below are Microsoft Exchange Server security best practices recommended by the NSA and CISA:

Keep everything updated

Microsoft releases two Cumulative Update (CU) per year for Exchange Server, along with monthly security and hotfix updates, this is because malicious actors can develop exploits within days of patch releases. That means updates should be applied as soon as practicable after they become available. When Microsoft releases updates, they post information on the Exchange Server build numbers and release dates page. Sometimes, Microsoft even releases interim mitigations and defensive tools between vulnerability discovery and patch issuance, which they announce on the Exchange Team Blog.

Delaying or failing to apply security patches adds risk over time, putting not just an email system but an entire network at risk. The August 2025 incident reported by TechRadar shows this point, despite Microsoft publicizing and patching a critical flaw, thousands of organizations failed to act quickly, leaving their systems vulnerable to potential attacks.

Move away from end-of-life software

As of October 14, 2025, Microsoft Exchange Server Subscription Edition (SE) became the sole supported on-premises version of Exchange after Microsoft ended support for previous versions. 

When planning a migration to Exchange Server SE or an alternative supported email server, consider the compatibility with the organization's email clients like Outlook, Microsoft 365 Apps for Enterprise, or others to maintain good overall security.

If migration must be delayed, the guidance is clear, limit the attack surface as much as possible and never expose unsupported Exchange servers directly to the Internet. Consider isolating the server in a dedicated network segment for limited internal communication only.

Understanding email protocol vulnerabilities

To properly secure Exchange, it's good to understand the vulnerabilities in email protocols and the authentication chain they create. The academic paper shows a critical weakness, "The SMTP protocol does not encrypt messages. Because SMTP server communications are in plain text, eavesdropping is possible." Furthermore, "the SMTP protocol does not have a mechanism to prevent repudiation, which would force a sender to deny sending emails."

The research paper on email sender spoofing attacks emphasizes a security principle, "The authenticity of an email depends on the weakest link in the authentication chain." The study explains that "authentication of an email involves four different roles: senders, receivers, forwarders and UI renderers. Each role should take different security responsibilities. If any role fails to provide a proper security defensive solution, an email's authenticity can not be guaranteed."

This chain-based structure means that "even a harmless issue may cause unprecedented damages when it is integrated into a more extensive system." The researchers found that "spoofing attacks might still succeed due to the inconsistency of entities protected by different protocols," and demonstrated that "it is still challenging to identify whether such an email is spoofing, even for people with a senior technical background."

These protocol-level vulnerabilities show why implementing additional security layers such as encryption, authentication, and monitoring is needed for any Exchange deployment.

Special considerations for hybrid environments

Organizations running hybrid Exchange deployments, which combine on-premises Exchange servers with Exchange Online in Microsoft 365, face security challenges. According to the TechRadar article, Microsoft issued an urgent warning about an improper authentication bug that could allow threat actors with administrative access to an on-premises Exchange server to escalate privileges into the connected Exchange Online environment due to trust flaws in shared service principal configurations.

Microsoft's statement emphasized the severity stating, "In an Exchange hybrid deployment, an attacker who first gains administrative access to an on-premises Exchange server could potentially escalate privileges within the organization's connected cloud environment without leaving easily detectable and auditable trace."

Both Exchange Server 2016 and Exchange Server 2019 are affected by this vulnerability, as well as Microsoft Exchange Server Subscription Edition. Microsoft has urged customers to apply April 2025 hotfixes, transition to the dedicated Exchange Hybrid app, and reset the shared service principal's credentials to mitigate the risk.

The hybrid environment poses an additional challenge because activity from on-premises Exchange doesn't always generate logs associated with malicious behavior in Microsoft 365, which could result in cyberattacks going undetected through cloud-based auditing alone.

The emergency mitigation service

Microsoft offers a security feature called the Exchange Emergency Mitigation (EM) Service. This service was automatically installed on Exchange Mailbox servers starting with the September 2021 CU for Exchange Server 2016 and 2019.

The EM Service actively applies mitigations to Exchange through Microsoft's cloud-based Office Config Service, deploying protections that include URL rewrite rules to block malicious HTTP requests and the disabling of vulnerable services. While it's not a replacement for security updates, it's described as the fastest and easiest way to mitigate the highest risks to internet-connected Exchange servers before updating.

Proactively ensuring this service remains enabled is good for maintaining protection against newly identified threats.

Building layered defenses

Security experts advocate for a defense-in-depth approach, multiple layers of protection that work together. For Exchange, this means enabling built-in protections including:

• Antivirus protection like Microsoft Defender Antivirus
• Anti-malware scanning through Windows Antimalware Scan Interface (AMSI)
• Attack Surface Reduction rules, including one specifically designed to block webshell creation on servers with the Exchange role
• Application controls through AppLocker and App Control for Business
• Endpoint Detection and Response (EDR) tools for advanced threat detection

Beyond Windows protections, Exchange Server includes its own anti-spam and anti-malware features that should be enabled and configured. These built-in protections create overlapping defensive coverage that makes it harder for threats to slip through.

Strengthening authentication and encryption

Authentication and encryption provide the identity verification and confidentiality assurances that are needed to secure communications. The academic paper emphasizes this point by stating that, "The email connection is critical since other network users may obtain login information and see messages that were being sent or received if the connection to the email provider is not encrypted."

Exchange uses Transport Layer Security (TLS) encryption for internal and external server communications, protecting emails in transit and user connections to the Exchange server. As the academic paper recommends, "The entire data exchange between the client PC/browser/mail program on the one side and the server on the other side should only run via SSL (Secure Sockets Layer) or TLS (Transport Layer Security)."

Organizations should use the latest supported TLS configuration consistently across all Exchange servers, restarting servers after any configuration changes to activate the new settings. Consistent TLS settings minimize troubleshooting difficulties and avoid downgrading to weaker cryptographic protection.

Another defense is Extended Protection, which provides additional authentication defenses against adversary-in-the-middle attacks, relay attacks, and forwarding techniques. Extended Protection enhances TLS connections with Channel Binding Tokens that link authentication information to unique TLS sessions, making it harder for attackers to relay stolen credentials.

Learn more: What is transport layer security (TLS)?

Modern authentication and multifactor authentication

Starting with Exchange Server 2019 CU13, Exchange can use Modern Authentication, which leverages OAuth 2.0 and enables multifactor authentication (MFA). Modern Authentication replaces the Basic Authentication protocol, addressing the risk of clear text credentials.

Once Modern Authentication is configured, organizations should disable Basic Authentication. The Modern Authentication approach only grants client access to a user's mailbox after proper authentication occurs, an access token is generated, and Exchange validates the token, creating multiple checkpoints that attackers must bypass.

The role of digital signatures

Digital signatures add another layer of security and non-repudiation to email communications. According to the academic paper, "Digital signatures generate a unique virtual fingerprint for a person or entity and are used to identify users and safeguard information in digital messages or documents."

The paper further explains that "a digital signature added to an email message adds a degree of protection by ensuring the receiver that the originator is not an impostor who signed the email message's contents." This capability is important for business-critical communications and compliance requirements.

Restricting administrative access

Only authorized, dedicated administrative workstations should be permitted to access Exchange administrative environments like the Exchange Admin Center and remote PowerShell. Since the Exchange Admin Center is web-based and hosted alongside Outlook on the Web, restricting access requires configuring Client Access Rules and host firewall rules.

Exchange Server's Role Based Access Control (RBAC) model enables organizations to implement split permissions, separating management responsibilities to achieve least privilege principles. This separation means an Exchange compromise is less likely to lead to a complete domain compromise.

Email forensics and incident response

The academic paper notes that "the header is critical for inquiry and evidence collecting. It includes information on the sender/receiver, the path, and the message." Email headers contain valuable metadata that can help trace the origin of attacks and understand the scope of a breach.

Additionally, implementing hash value verification ensures data integrity during investigations. As the academic paper explains, "Hash values are generated to ensure that the integrity of the data is not compromised and that it remains unaltered during the investigation." Organizations should establish procedures for preserving email evidence and conducting forensic analysis when needed.

FAQs

What are some signs that an Exchange Server may be compromised?

Unusual email activity, unexplained administrative changes, and high CPU usage can indicate a compromised Exchange Server.

How often should organizations review their Exchange security configurations?

Security configurations should be reviewed at least quarterly or after every major update or security patch.

Is Exchange Online automatically protected from the same threats as on-premises servers?

No. Exchange Online is managed by Microsoft, but organizations must still configure authentication, access controls, and monitoring properly.

What are the risks of delaying Cumulative Updates (CUs)?

Delaying CUs leaves known vulnerabilities unpatched, increasing the likelihood of exploitation within days of public disclosure.

Can third-party antivirus tools improve Exchange protection?

Yes, if properly configured, third-party antivirus solutions can supplement built-in Microsoft Defender protections.