There are two Exchange vulnerabilities that were exploited by hackers even after Microsoft patched them. In a reference to the dreary cycle of vulnerability revelations and subsequent patching the server require, Risky Business referred to a recent episode as "It's Exchangehog Day".
Aanchal Gupta, the corporate vice president of Microsoft Security Response Center, responded with an extensive list of measures the company has taken to mitigate Exchange security issues. He said that Microsoft released updates to partially block the vulnerabilities he exposed before releasing the full fix. MSRC worked around the clock to help customers update their Exchange server in the midst of last year's Hafnium attacks, released numerous security updates for Exchange over the year, and even launched an Exchange Emergency Mitigation service.
Gupta agreed that most customers should move from on-Premise Exchange server to Microsoft's cloud based email service, Exchange Online. Gupta said that customers should migrate to the cloud to take advantage of real-time security and instant updates. We advise customers who can't keep up with the latest versions of their systems to migrate to the cloud.
The age of Exchange's code and the risks of breaking interdependent mechanisms in the software make it difficult for email administrators to keep Exchange patched. Kevin Beaumont, a security researcher, recently live-tweeted his own experience of updating an Exchange server, documenting countless bugs, crashes, and hiccups in the process, which took him nearly three hours, despite the fact the server had last been updated just a few months before. Even though there are active attacks, people don't patch their on-Premise Exchange. There are patched and unpatched bugs that are taking a long time to get fixed.
Exchange's security problems are compounded by the fact that vulnerabilities in its software are easy to exploit. Marcus Hutchins is an analyst for security firm Kryptos Logic. Despite the fact that an Exchange server hosts email locally, they are much more reliable to use. It is much more reliable to pass commands through an online interface to a web server than it is to change data in a lower-level and less predictable part of a targeted machine. Hutchins says it is very fancy web exploitation. If you do it wrong, it won't crash the server. It is very easy to understand.