Source URL: https://www.microsoft.com/en-us/security/blog/2025/04/09/stopping-attacks-against-on-premises-exchange-server-and-sharepoint-server-with-amsi/
Source: Microsoft Security Blog
Title: Stopping attacks against on-premises Exchange Server and SharePoint Server with AMSI
Feedly Summary: Exchange Server and SharePoint Server are business-critical assets and considered crown-jewels for many organizations, making them attractive targets for attacks. To help customers protect their environments and respond to these attacks, Exchange Server and SharePoint Server integrated Windows Antimalware Scan Interface (AMSI), providing an essential layer of protection by preventing harmful web requests from reaching backend endpoints. The blog outlines several attacks prevented by AMSI integration and highlights recent enhancements. The blog also provides protection and mitigation guidance and how defenders can respond.
The post Stopping attacks against on-premises Exchange Server and SharePoint Server with AMSI appeared first on Microsoft Security Blog.
AI Summary and Description: Yes
**Summary:**
The text provides an in-depth overview of the security risks associated with Microsoft Exchange and SharePoint Servers, particularly focusing on how attackers exploit various vulnerabilities, including Server-Side Request Forgery (SSRF) and NTLM relay techniques. The integration of the Antimalware Scan Interface (AMSI) is highlighted as a significant enhancement for detecting and preventing attacks. This is crucial for organizations that rely on these platforms as they navigate increasing threats.
**Detailed Description:**
The content covers a wide range of security implications related to Exchange and SharePoint Servers, emphasizing their critical nature for organizations. Key points include:
– **Vulnerabilities Exploited by Attackers:**
– Attackers have consistently exploited outdated or misconfigured servers to gain unauthorized access, often persisting inside networks undetected.
– Specific vulnerabilities like ProxyShell and ProxyNotShell were noteworthy attackers’ entry points, utilizing a combination of SSRF and privilege escalation.
– **Integration of AMSI:**
– The integration of AMSI to Exchange Server and SharePoint Server acts as an advanced protective layer by preventing harmful web requests from executing.
– AMSI scans incoming requests comprehensively, including request bodies, which is critical for blocking new forms of attacks.
– **Recent Attack Techniques:**
– Description of various attack methodologies, such as NTLM relay attacks through embedded links in Office documents and the deployment of web shells through web control abuses, illustrates the evolving tactics of threat actors.
– Specific cases like CVE-2023-29357 show how attackers have exploited authentication bypass vulnerabilities in SharePoint.
– **Defensive Measures and Guidance:**
– Recommendations for organizations include activating AMSI, applying security updates promptly, and maintaining antivirus protections.
– The importance of practicing least-privilege principles and regularly reviewing sensitive accounts to mitigate risks is emphasized.
– Detailed mitigation strategies are provided, including activating advanced scanning features and utilizing Microsoft Defender’s extensive detection capabilities to handle potential threats.
– **Monitoring and Response:**
– The text outlines how AMSI logs activities, enabling security teams to quickly identify potential compromises. It also discusses the use of Microsoft Defender for Endpoint and vulnerability management tools to proactively address threats.
Overall, the document serves as a crucial resource for security professionals managing Microsoft infrastructure, providing insights into potential vulnerabilities, illustrating various attack scenarios, and offering guidance on effective protective measures against emerging threats.