Atlassian, Microsoft bugs on CISA’s must-patch list after exploitation spree A recently disclosed critical vulnerability in Atlassian's Bitbucket is actively being exploited, according to the US government. The Cybersecurity and Infrastructure Security Agency (CISA) late on Friday placed the flaw – tracked as CVE-2022-36804 – on its catalog of Known Exploited Vulnerabilities (KEV), effectively a must- …
I will bite. How do you mean? I do know you can have exchange live behind ADFS and WAP, but these current exploits require an authenticated account anyway so would get past the WAP. The calls to exchange are quite valid remote powershell calls and use an exploit via normal channels.
How else do you mean for exchange to be able to send email externally and not be connected to the internet? How would you get OWA working for example?
We run hybrid AD and migrated onsite to offsite exchange, this needs an exchange server to operation (no mailboxes on the server, plus there is no route for onsite exchange OUT via SMTP either - only microsoft 365 IPs can connect IN via the firewall so its about as good as I can get it. I supposed I could also hamstring IIS too if necessary.
Technically, you can, but it involves putting a content-aware proxy in-between the exchange server(s) and the firewall. while such things do exist (there's an iApp for the F5 load balancers) it also requires adding custom code to said load balancer which is not for the faint of heart. Oh, and it still wouldn't protect you against this exploit, and it'll break rather a lot of stuff that things like mobile clients use
Exchange should only ever swap email externally though an edge server and/or an smtp gateway appliance (i.e. spam filter)- while you could hook up a node directly for SMTP exchange, it's a really bad idea. (I was against putting Edge nodes into ours until I discovered that the cloud based email security appliances we migrated to a couple years back required it; this has resulted in at least one problem where user A blocks a sender as junk, and the edge boxes dutifully start doing so and then user B complains they aren't getting emails from that sender anymore...)
One of my projects this year is migrating to Exchange Online, which I'm pretty sure will cause the bald spot forming on my head to grow. :(
Having programmed modules for exchange and outlook, I’m still surprised that the thing actually works.
My IT admin in a previous company told me that a rule of thumb is 1 IT Engineer per Exchange server. I may be off, but I doubt by too much.
GSuite seems to work for most use cases.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
