Exchange Server: CISA Requires Agencies to Run Microsoft Safety Scanner
The US Cybersecurity and Infrastructure Security (CISA) has directed federal agencies to “download and run the current version of Microsoft Safety Scanner (MSERT) in Full Scan mode” and “download and run the Test-ProxyLogon.ps1 script as an administrator to analyze Exchange and IIS logs and discover potential attacker activity.” Agencies must perform these actions by noon EDT on Monday, April 5. There are also hardening requirements that must be implemented by June 28, 2021. The new requirements were released as Supplemental Direction to CISA’s March 3 Emergency Directive 21-02.
Everybody should run the Microsoft Safety Scanner for Exchange. Even if you patched as soon as the patch was released by Microsoft. The scanner isn't perfect, but it is easy to run and you should assume that the system was compromised the day before the patch was released.
The MSERT script is being updated frequently, so be sure to download the latest before performing these scans. The new requirements are not just to harden the OS of the servers, but also verify that you’re employing principle of least privilege for accounts on your exchange server. Also note the requirement to not only be on support OS and Exchange versions but also apply patches within 48 hours of release which leaves little time for regression testing and necessitates verified roll-back procedures.
Read more in
Bleeping Computer: CISA gives federal agencies 5 days to find hacked Exchange servers
Microsoft: Microsoft Safety Scanner