CISA, NSA offer guidance to better protect Microsoft Exchange Servers

Cybersecurity experts from multiple federal agencies released guidance to help organizations bolster their defenses against attacks on on-premises Microsoft Exchange Servers, resurfacing and building upon previously shared advice that generally applies to most technology.

The Cybersecurity and Infrastructure Security Agency said the security blueprint for Microsoft Exchange Server is a follow-up effort to an emergency directive the agency released in August for CVE-2025-53786, a high-severity defect affecting on-premises Microsoft Exchange servers. CISA jointly issued the guide Thursday with the National Security Agency and cyber agencies in Australia and Canada.

Nick Andersen, executive assistant director for cybersecurity at CISA, said the guidance isn’t in response to any specific vulnerability or attack, but rather reflects that organizations are under constant threat. “Many organizations depend on Microsoft Exchange to perform these critical communication functions, and that necessitates a strong degree of protection from malicious actors,” he said during a media briefing Thursday.

The recommendations aren’t particularly new and should come as no surprise to security and IT professionals. The guide synthesizes security advice shared by Microsoft, security experts and the industry at large. The majority of works cited in the guide, more than 60, link back to blogs and advice scattered around Microsoft sites. 

“The individual recommendations are known good practices. What stands out to me is the detailed implementation guidance and how the guide stitches the compilation of recommendations into a game plan for improved security,” Andrew Grotto, research scholar at Stanford University’s Center for International Security and Cooperation, told CyberScoop.

“It’s a practical and very usable guide,” he said. “It also begs the question of why Microsoft has never produced something quite like this.”

Microsoft declined to answer questions or provide additional information. 

The guide encourages on-premises Microsoft Exchange Server customers to restrict administrative access, implement multi-factor authentication, enforce strict transport layer security configurations and adopt zero-trust security principles. It also advises organizations to patch regularly and migrate off end-of-life Microsoft Exchange Servers. 

“The most effective defense is ensuring all Exchange Servers are running the latest version and cumulative update patches,” Andersen said. “Delaying or failing to apply security patches increases the risk of vulnerability exploitation and puts your entire network at risk, as well as the larger ecosystem.”

Microsoft’s level of involvement in the development of the guidance is unclear. Andersen did not address that directly, but said CISA is grateful to Microsoft and other vendors who participate in the vendor ecosystem with the federal government.

“We wanted to be able to have something, given both the criticality and sort of the level of participation that we have with this partner, to outline some of those best practices,” Andersen said.

Microsoft Exchange Server is heavily targeted by nation-state attackers and cybercriminals. The popular enterprise technology appears 16 times on CISA’s known exploited vulnerabilities catalog dating back to 2021, and 12 of those vulnerabilities are known to be used in ransomware attacks. That year, the U.S. government and its allies blamed China for exploiting an Exchange flaw that led to a rash of ransomware attacks affecting tens of thousands of victims. 

To Grotto, the recommendations in the guide underscore how complex Microsoft Exchange is, “and complexity is the enemy of security,” he said. “For Microsoft, complexity is the customer’s problem, not theirs.”

The federal and international agencies’ effort was likely driven by what they determined to be an unmet need, according to Grotto. 

“Governments do not normally step in to provide detailed guidance on behalf of private companies on how to safely operate their products,” he said. “The fact that a multilateral coalition of security and intelligence agencies felt that they needed to produce something like this is a devastating commentary on Microsoft’s security posture.”