Has the HAFNIUM Attack Made On-Premises Exchange Too Risky to Maintain?

Microsoft continues to see multiple actors taking advantage of unpatched systems to attack organizations with an on-premises Exchange Server.” March 8th, 2021. Microsoft Threat Intelligence Center (MSTIC).

By now you’ve all heard the news about the continuing attacks taking place against on-premises Exchange servers globally, which is believed to have been orchestrated by HAFNIUM. According to MSTIC, “HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.”

I imagine many organizations not just in the United States but around the world are asking themselves right now, “Did the HAFNIUM attacks make on-premises Exchange too risky to maintain?” Over the coming days, weeks, and months many organizations are going to start calculating the risk and cost of operating on-premises Exchange and the related systems as a long-term strategy.

Many of these organizations will identify the business drivers to justify the full consolidation of their on-premises Exchange infrastructure in favor of services and features available in Exchange Online and Microsoft 365. As Tony Redmond, Microsoft MVP and noted author stated in his recent Practical365.com article on this topic, “The bottom line is that if you can move email off on-premises Exchange to the cloud you should do so as quickly as you can.”

What does it take to decommission an on-premises Exchange infrastructure?

It’s more than just mailboxes

To decommission on-premises Exchange in favor of Exchange Online and Microsoft 365 services, you will need to consider much more than just how to move some mailboxes. While that is a key driver and component of this type of project, it isn’t the only consideration or piece of the puzzle. You will find that the most mature Exchange organizations, regardless of size, have built up over time interdependent systems around Exchange. Things such as backups and restores, archiving solutions, eDiscovery, and legal practices, not to mention the possibility of custom internal applications or devices that may use Exchange as a workflow transport that keep their business-critical applications running.

In this two-part series, we’ll highlight some of the other possible systems or processes that may be impacted by a move to Exchange Online and next we’ll cover the top five do’s and don’ts when planning your move.

Top five factors to consider when planning your move to Microsoft 365

Beyond choosing the mailbox migration methodology and/or tools there are other key areas that you may want to consider during the planning phase. Review the following five areas in your organization that can be impacted by a move to Exchange Online.

  1. Recovery – If you are looking to move your mailbox users to Exchange Online, you will need to evaluate how this will impact your current backup and recovery practices, along with your disaster recovery plans. Before you move to the cloud, consider if you need an alternative backup and recovery solution for Exchange Online, and most importantly, update your emergency planning documentation to reflect the changes in your disaster recovery since Exchange is no longer a major part of that exercise.
  2. Compliance – Microsoft 365 has some fantastic compliance solutions, not only to search your mailboxes, but your entire repository of data. To take advantage of these extensive features you would need a Microsoft 365 E5 license for each user. While Microsoft 365 does offer more functionality than the localized solutions provided for just Exchange On-Premises, you will have to weigh the cost of the user licensing against keeping your on-premises solutions. I think you’ll find that the investment is worth the cost with the added security, searchability and scale of data available.
  3. Archiving – Your organization may have invested in third-party archiving software, hardware or even storage locations to securely store your organization’s data for the long haul due to regulatory and compliance requirements. When you move to the cloud, be sure to plan how you will meet these same requirements now that all your data is in the cloud. This may require you to re-evaluate how long you retain data and where you store it, or to plan how you’ll move data from your existing archives to the cloud.
  4. Access – Before you move to the cloud, you must determine how your network users, mobile devices, and remote office workers will securely and reliably access their on-premises and cloud resources. Choosing between the right authentication technologies such as Active Directory Federation Services or seamless single sign-on, implementing conditional access policies and establishing and enforcing best practices can be a difficult balancing act to provide both easy, reliable access for your users while maintaining the highest security standards possible. Apart from authentication, you’ll also need to evaluate if all your business locations have reliable connectivity and bandwidth to maintain a high level of service for your end-users. Finally, beyond choosing the right authentication method and guaranteeing reliable connections, you will need to determine if your industry has any regulatory or compliance requirements preventing you from moving your users to the cloud. Once you have these pieces of the puzzle, you are one step closer to retiring those Exchange servers.
  5. Applications – Exchange On-Premises is an SMTP email relay system at the root of it all. And over time it can end up being a key cog in business-critical operations and workflows you may not even be aware of. Exchange may be connected to network printers, scanners, third-party applications for HR, sales, manufacturing … really an endless array of devices. Take a full inventory of known interdependencies and then review your audit logs to determine what other possible systems are using Exchange as a relay or using calendaring functionality as part of their workflows.

By no means is this everything you need to assess, design for, or consider during the planning phase of your project, but it is a glimpse into the complex interdependencies an on-premises Exchange infrastructure may have in a contemporary Microsoft network, and what you have in store for you if you do decide to move.

On demand migration Microsoft 365 migration tool

One solution. Many workloads.

Migrate and consolidate all your Microsoft 365 workloads with one simple and secure solution.

Planning your move to the cloud

These attacks aren’t over by any means. Security experts estimate that there are upwards of 80 thousand servers still vulnerable worldwide. And as Tony Redmond advised in his article, “if you can move, do it quickly!”

At Quest, we can help you plan for alternatives in all the areas mentioned above. We offer a wide range of secure software solutions available in SaaS and on-premises models and provide professional management of your entire migration project.

If you or your organization have been affected by these attacks, or you need help determining if you have been, contact us to see how we can help with all your local, hybrid and cloud needs.

And don’t miss out on the second part of this series where we’ll talk about the top five do’s and don’ts of planning a move to the cloud. Until next time… Go patch those servers!

HAFNIUM Exchange server hack: Why patching isn't enough and where to start hunting

Microsoft wants you to know that patching the four critical security flaws in Microsoft Exchange Server listed in CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 does not remediate existing compromised systems. Organizations need to patch, investigate and, if compromised, stop the attack. Hear expert advice from Jeff Guillet, Exchange Server Microsoft Certified Master, Michael Van Horenbeeck, Microsoft Certified Solutions Master, Paul Robichaux, Microsoft MVP and Bryan Patton, CISSP.

Watch on-demand

About the Author

Richard Dean

Richard is a seasoned product leader and solutions architect with over 25 years in the IT industry, specializing in Microsoft Cloud & Hybrid technologies. As Quest's Senior Manager of Technical Product Management, he excels in managing complex Microsoft 365 challenges. Richard is a certified Microsoft Professional, speaker, blogger, and podcaster. He co-hosts the Practical 365 podcast, sharing insights on Microsoft 365. Recently, he co-hosted The Experts Conference (TEC) 2023 in Atlanta, GA, presenting on multi-tenant management solutions. Passionate about sharing knowledge, Richard helps organizations succeed in their digital transformation journey

Related Articles