Microsoft Exchange Server ProxyLogon Vulnerability: 8 Questions to Ask Vendors

Assess your organization's exposure with these essential questions for your vendors, suppliers and other third parties.
March 24, 2021
Blog ms exchange proxylogon vulnerability 0321

In January 2021, several global cyberattacks targeted vulnerabilities in Microsoft Exchange Server versions 2010, 2013, 2016 and 2019. The Exchange Server ProxyLogon vulnerability enables attackers to read emails from a physical, on-premise Exchange server without authentication. What's more, it provides a pathway for multi-staged attacks that can completely compromise the victim's mail server by taking advantage of additional vulnerabilities.

Microsoft released updates on March 2, 2021 to patch the vulnerabilities. However, ten days later, they announced that ransomware had been deployed to the initially infected servers. The ransomware encrypted files and rendered them inoperable until payment was received. In fact, several organizations impacted by the Exchange Server vulnerability – such as ACER, Buffalo Public Schools and Molson Coors Beverage Company – are reporting follow-on REvil ransomware attacks.

Naturally, this highly sophisticated attack may be raising questions about whether the Exchange Server vulnerability could ultimately impact your company by way of its vendors, suppliers and other third parties.

8 Critical Questions to Assess Third-Party Exposure to the Microsoft Exchange Vulnerability

Prevalent has assembled a list of eight essential questions to ask your third parties in order to gauge their response to this incident. Use the questionnaire to not only gain visibility into whether a vendor/suppler has been impacted by the ProxyLogon vulnerability, but also reveal its potential impact on your organization's data.

Question Potential Responses

1) Has the organization been impacted by the recent Microsoft Exchange ProxyLogon vulnerability?

(Please select one)

a) Yes, we have been impacted as a result of the recent Microsoft Exchange ProxyLogon vulnerability.

b) No, we have not been impacted as a result of the recent Microsoft Exchange ProxyLogon vulnerability.

c) The organization is unsure if it has been impacted as a result of the recent Microsoft Exchange ProxyLogon vulnerability.

2) Has the organization implemented patches recently released by Microsoft to the affected systems?

(Please select one)

a) Yes, the organization has obtained, tested and successfully installed the patches released by Microsoft.

b) No, the organization has not yet obtained, tested and installed the patches released by Microsoft.

c) The organization is unable to install the updates provided by Microsoft.

3) If the organization is unable to install the recommended updates, have the following actions been taken based off of Microsoft's proposed Server Vulnerabilities Mitigations?

(Please select all that apply)

a) Implement an IIS Re-Write Rule to filter malicious https requests.

b) Disable Unified Messaging (UM).

c) Disable Exchange Control Panel (ECP) VDir.

d) Disable Offline Address Book (OAB) VDir.

e) The organization is unable to apply any of the mitigations recommended by Microsoft.

4) If the organization is unable to install the recommended updates or apply the mitigations recommended by Microsoft, have the following actions been taken?

(Please select all that apply)

a) Blocking untrusted connections to the Exchange server port 443.

b) Where secure remote access solutions are already in place configuring Exchange only to be available remotely via this solution.

5) Has the organization proactively searched systems for evidence of compromise, in line with Microsoft guidance?

(Please select all that apply)

a) The organization is using the 'Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities' to aid in remediation activities.

b) The organization has installed the Microsoft Exchange On-premises Mitigation Tool (EOMT) as a means of identifying systems for evidence of compromise.

c) The organization has consulted the TLP WHITE advisory paper from CISA and the FBI a means of further investigating and mitigating the vulnerabilities.

6) Does the organization have an incident investigation and response plan in place?

(Please select all that apply)

a) The organization has a documented incident management policy.

b) The incident management policy includes rules for reporting information security events and weaknesses.

c) An incident response plan is developed as part of incident investigation and recovery.

d) Incident response planning includes escalation procedures to internal parties, and communication procedures to clients.

7) Who is designated as the point of contact who can answer additional queries?


8) What is the level of impact to client systems and data following this vulnerability?

(Please select one)

a) There has been no impact to client systems or data following this vulnerability.

b) There has been a low impact to client systems or data following this vulnerability.

c) There is a high level of impact to client systems or data following this vulnerability.

d) There has been significant impact to client systems or data following this vulnerability.

Free Microsoft Exchange ProxyLogon Vulnerability Assessment

Download the PDF to gain visibility into how your vendors and suppliers have responded to the ProxyLogon vulnerability.

Download the PDF
Feature ms exchange vulnerability assessment

Three Levels of Coverage to Stay Ahead of Third-Party Breaches

The Microsoft Exchange ProxyLogon vulnerability is an important reminder that mitigating the impact of attacks targeting your third parties requires multiple layers of detection, both proactive and reactive. Here are three levels of coverage that we consider essential:

1. Monitor for third-party breach disclosures

Establishing continuous monitoring of third-party breach disclosures, news updates, and regulatory and legal filings is an important first step, providing qualitative indicators that a compromise could occur. However, simply monitoring news sites, social media posts, or getting daily updates from an RSS feed will not enable you to quantify or analyze the impact of such announcements or act on them. That’s why it’s important to seek qualitative insights from a centralized service that includes hundreds of thousands of public and private sources and enables you to tie the data together in a unified risk register.

2. Monitor for other indicators of cyber compromises

Scanning for vulnerabilities on public-facing vendor web properties will only reveal a small measure of the risks they (and therefore you) are exposed to. Go deeper by monitoring criminal forums, onion pages, the deep dark web’s special access forums, threat feeds, paste sites for leaked credentials, as well as security communities, code repositories, and finally vulnerability databases. As above, though, it’s too complex and time-consuming to monitor this activity on your own, even when limited to your high-tier suppliers. Instead, centralize this activity in a single service that monitors for cybersecurity intelligence and can automatically trigger remediation actions based on findings.

3. Augment point-in-time assessments with rapid response

SolarWinds, Accellion, and now Microsoft Exchange. High-profile security incidents and damaging breaches impacting third parties has been on the rise. Yet, many organizations struggle to get timely notifications of impact from their supplier bases. This can delay risk identification and mitigation and ultimately lead to unwanted exposure. Why? Existing approaches to vendor event notification are highly manual, don’t offer third parties the opportunity to quantify their risk or provide meaningful context to the incident, and lack prescriptive remediation guidance to jump start the risk mitigation process.

How can your organization help your vendors accelerate the event notification process? Assess your vendors against a customizable event questionnaire that is automatically triggered by events, enables them to proactively submit assessments, and offers prescriptive remediation guidance to quickly identify and mitigate the impact of a security incident.

None of that is possible by watching news feeds or exchanging spreadsheets over email. Centralized assessment platforms automate the critical tasks required to quickly discover, quantify and remediate risks from vendor vulnerabilities -- without overwhelming your team.

Next Steps

Be sure to download the PDF of the Third-Party Microsoft Exchange Server ProxyLogon Vulnerability Assessment. We hope the questionnaire will provide some assurance that your vendors and suppliers have implemented the controls necessary to address this critical vulnerability.

Because cyberattacks targeting this vulnerability have evolved to include ransomware, be sure to also download Prevalent’s free ransomware assessment to identify immediate gaps that could impact the readiness of your organization to react to similar ransomware threats.

Once the dust settles, keep in mind that Prevalent offers a third-party risk management platform that includes more than 60 questionnaire templates meant to help you automate the tedious tasks of assessing vendors, and augments the findings with continuous cyber and breach monitoring. Contact us today to schedule a strategy session.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo