Microsoft Enhances Exchange and SharePoint Security with AMSI Integration

Microsoft has announced enhanced security measures for its Exchange Server and SharePoint Server products, both of which are critical assets for many organizations. The core of this enhancement is the integration with the Windows Antimalware Scan Interface (AMSI).

The blog post emphasizes that Exchange and SharePoint servers are prime targets for attackers due to the sensitive data they hold. To counter this, Microsoft has integrated AMSI, a standard that allows applications and services to work seamlessly with AMSI-compatible antimalware products. This integration provides a crucial layer of defense by inspecting incoming HTTP requests and blocking malicious ones before they reach backend endpoints.

The blog post highlights the persistent nature of attacks against these servers, noting that “threat actors have consistently relied on outdated or misconfigured assets, exploiting vulnerabilities that enable them to gain a persistent foothold inside the target.” It cites the ProxyShell and ProxyNotShell vulnerabilities in Exchange Server as examples, where attackers exploited these flaws long after patches were available. These attacks involved server-side request forgery (SSRF) and privilege escalation, leading to remote code execution, web shell deployment, lateral movement, and data exfiltration.

More recent attack trends have shifted towards NTLM relay and credential leakage techniques. The blog post explains how attackers can use Office documents and emails to exploit NTLM coercion vulnerabilities, relay credentials to vulnerable servers, and potentially compromise accounts.

SharePoint Server is also in the crosshairs of attackers who exploit vulnerabilities to gain privileged access. Attackers employ stealthy persistence tactics such as modifying legitimate files with web shell code and installing remote monitoring and management (RMM) tools.

Microsoft acknowledges that while cloud-based solutions offer some security advantages, many organizations still need on-premises Exchange and SharePoint deployments. Therefore, securing this on-premises infrastructure is paramount. The AMSI integration is particularly important in defending against zero-day exploits. AMSI detections are integrated into the Microsoft Defender portal, providing security operations teams with visibility for investigation and remediation.

The blog post details how AMSI is integrated into the IIS pipeline as a security filter module, inspecting incoming HTTP requests at the onBeginRequest stage. This allows for the analysis of requests before they are processed, effectively mitigating the risk of exploitation. Malicious requests are met with an HTTP 400 Bad Request response.

Initially, AMSI integration focused on scanning request headers, which was effective against SSRF attempts. However, modern attacks increasingly embed malicious code within request bodies. To address this, Microsoft has extended AMSI’s capabilities to include scanning request bodies in both Exchange Server and SharePoint Server. Microsoft strongly recommends enabling these enhanced controls.

The blog post provides specific examples of attacks, including SSRF exploitation (e.g., CVE-2023-29357, CVE-2022-41040), web shell interaction, Exchange Web Services (EWS) abuse, insecure deserialization leading to RCE, and web control abuse. In each case, the blog post explains how AMSI helps to detect and mitigate these attacks.

Finally, the blog post offers mitigation and protection guidance, emphasizing the importance of:

• Activating AMSI.
• Applying the latest security updates.
• Keeping antivirus and other protections enabled.
• Reviewing sensitive roles and groups.
• Restricting access.
• Prioritizing alerts.

By implementing these measures, organizations can significantly improve the security posture of their Exchange and SharePoint Server environments.

Related Posts:

• With null characters, Malicious code bypassed security checking in Windows 10
• Microsoft’s September Patch Tuesday: A Patchwork of Urgency with 4 Zero-Days Under Attack
• CVE-2024-38094 Exploited: Attackers Gain Domain Access via Microsoft SharePoint Server
• SharePoint Shadow: Havoc’s FUD Malware Conceals Cyber Attacks