Persistently Vulnerable Exchange Servers: prepare for email throttling & blocking

Microsoft plans to throttle and even block emails sent from Exchange Server to Exchange Online. The transport-based enforcement system will report emails sent from vulnerable Exchange Servers and gradually delay and block mail flow to force admins to update their on-prem environments. This is to ensure superior security of Microsoft 365 organizations. See if the new feature affects you and what you can do to keep your mail flow running.

Who will be affected by the new Exchange throttling policy?

According to this Exchange Team article, the update is aimed to combat “persistently vulnerable Exchange Servers”.

The system will be rolled out in stages. At first, the transport-based enforcement system will only apply to Exchange Servers that connect to Exchange Online using an inbound OnPremises connector. In other words, only hybrid environments will be affected at first. However, according to Microsoft, the system’s primary objective is to prevent potentially malicious emails from entering Exchange Online and to force organizations to patch their on-premises servers. So it’s safe to expect that eventually it will also affect organizations that fail to secure their on-prem environments, even when they’re not in hybrid.

Transport-based enforcement system applies only to high-risk environments, that is “persistently vulnerable Exchange Servers”. Let’s see what it means.

What is a persistently vulnerable Exchange Server?

A persistently vulnerable Exchange Server is an Exchange Server instance for which there are known vulnerabilities that have not been addressed yet. So, if there is a security update (SU) you’ve been saving for later, know that the clock is ticking.

The bigger problem is when you’re on an Exchange Server version that has reached its end of life (or “end of extended support” if you prefer official names). This means that this version will not receive any further SUs. In other words, it’s in the transport-based enforcement system’s crosshairs already.

Email throttling & blocking timeline

There are two timelines that apply to Exchange Server’s mail flow throttling and blocking:

• Transport-based enforcement system’s stages. In other words, how the system handles reporting, throttling and blocking.
• Feature rollout. Since the email throttling and blocking can potentially affect (and harm) multiple organizations, Microsoft starts with the oldest on-premises environment that supports hybrid and will gradually add newer (less vulnerable) servers.

Transport-based enforcement system stages

There are 8 stages in total. Stage 1 begins as soon as the system detects a non-compliant server. If the vulnerability is not resolved, the system will progress to the next stage after a specified period of time.

The first stage lasts 30 days, each next stage lasts 10 days.

1. For the first 30 days, non-compliant server(s) will appear in the new mail flow report. During this period, there is no email throttling or blocking. It’s a warning phase that gives time to install the newest SU.
2. Mail flow throttling begins. For 5 minutes every hour, emails will bounce with an SMTP 450 error. As a result, email delivery will be delayed.
3. Throttle increases to 10 minutes per hour.
4. Throttling period increases to 20 minutes per hour.
5. Throttling caps at 30 minutes per hour. Email blocking begins. Since this moment, for 5 minutes every hour, Exchange Online will bounce emails with a permanent SMTP 550 error. Those emails will not reach final recipients and senders will need to send them again.
6. Blocking period increases to 10 minutes per hour.
7. Blocking period increases to 20 minutes per hour.
8. The final stage, enforced after 90 days of non-compliance. That’s when all emails from vulnerable server(s) will be blocked.

Rollout stages

The transport-based enforcement system will be introduced gradually. The start date is when a certain Exchange distribution (version) will be first scanned for vulnerabilities and the Stage 1 Enforcement can begin. So, if your Exchange 2019 is patched, it will not be treated as persistently vulnerable.

1. June 23, 2023 – Exchange 2007
2. September 23, 2023 – Exchange 2010
3. December 23, 2023 – Exchange 2013
4. March 24, 2024 – Exchange 2016 & 2019

Exchange Team revealed plans relating to the Transport Enforcement System

Ways to stay compliant

To prevent mail flow throttling and blocking don’t be behind with security updates of your Exchange Server. And, above all, make sure you don’t have any unpatched Exchange 2007 lurking somewhere in the basement.

A short-term solution is to pause enforcement. You can request this option directly from the EAC mail flow report and you can use this option for up to 90 days per year to temporarily stop mail flow throttling and blocking if you let the system get beyond the Stage 1 (see enforcement stages). It’s an option that will be probably used a lot. Many companies follow a policy to wait before deploying SU on production environment to prevent rollbacks in case something breaks after an update.

Unfortunately, you won’t be able to ensure your on-premises environment’s security if you have an Exchange version that has reached its end of life. In this case, the only real way to move forward is to migrate to a supported Exchange version or to a cloud only environment.

How to migrate?

Migration under the pressure of time poses a lot of risks. Quite ironic, since in this scenario the migration is forced by a feature that should counter risks.

To migrate with confidence, use a dedicated migration tool. This way, you can benefit from:

• 24/5 technical assistance from people who handle complex migration projects on a daily basis.
• Streamlined and simplified migration process (no scripting or complex planning).
• Advanced reporting.
• Unlimited delta migrations to make sure each mailbox item is migrated.