Microsoft is sounding the alarm once again about the ongoing risks of running outdated Exchange Servers. The tech giant has officially deprecated the old Office Configuration Service (OCS) certificate, effectively cutting off outdated Exchange Servers (versions older than March 2023) from receiving critical security mitigations. If you're an Exchange admin still clinging to an old server configuration (and you’d better not be), it’s time to act. Experts are urging organizations to upgrade or—better yet—ditch their on-premises servers for the cloud. Let’s unpack what’s happening and why this matters for every IT department and Windows user.
Microsoft recently unveiled that its Exchange Emergency Mitigation Service (EEMS)—a kind of defensive hotfix system for Exchange Servers—is now useless on systems running versions older than March 2023. EEMS was supposed to be a lifesaver, downloading temporary mitigations directly to Exchange Servers to address vulnerabilities before formal patches were released. These measures are critical for protecting against threats like zero-day exploits. But none of that matters if your server is too old to validate the new certificates introduced for secure mitigation downloads. Without up-to-date certificates, organizations running older Exchange versions will encounter errors—and worse, vulnerabilities that go unaddressed.
If you check your Event Viewer logs today and see entries like Event ID 1008 for the MSExchange Mitigation Service complaining about exceptions when fetching mitigations, guess what? You’re in trouble.
Shipley went a step further, doubling down on his recommendation to move to Microsoft 365, the cloud-based alternative. Microsoft 365 automatically incorporates the latest fixes and changes without the need for admin intervention. In the eternal battle between cloud services and on-premises infrastructure, 2025 seems to be tipping overwhelmingly to the cloud.
But let’s be real: even Microsoft 365 isn’t entirely invulnerable. While it simplifies patch management and leaves much of the heavy lifting to Microsoft, security responsibility isn’t entirely outsourced. Thorough configurations, email security practices, and regular monitoring remain critical for safeguarding your cloud-based email service.
Nonetheless, EEMS is only helpful if the server can communicate with OCS—something older Exchange systems can no longer do. Or, as Johannes Ullrich from the esteemed SANS Institute put it: “On-premises Exchange... should be considered a legacy product.”
Here’s the breakdown:
Admins still dragging their feet on updates need to bite the bullet. If budget constraints are an issue, plan incremental upgrades or, at the very least, ensure your servers meet the minimum March 2023 standard. Skipping updates or ignoring Microsoft’s latest security advisories will only open the door wide for attackers.
As a parting thought: ask yourself, would you use an operating system from 2013? Probably not. So why take the risk with email servers that your employees rely on for critical communication?
Source: Computerworld Update Exchange Server or move to the cloud, say experts
The Major Announcement: No More Mitigations for Outdated Exchange Servers
Microsoft recently unveiled that its Exchange Emergency Mitigation Service (EEMS)—a kind of defensive hotfix system for Exchange Servers—is now useless on systems running versions older than March 2023. EEMS was supposed to be a lifesaver, downloading temporary mitigations directly to Exchange Servers to address vulnerabilities before formal patches were released. These measures are critical for protecting against threats like zero-day exploits. But none of that matters if your server is too old to validate the new certificates introduced for secure mitigation downloads. Without up-to-date certificates, organizations running older Exchange versions will encounter errors—and worse, vulnerabilities that go unaddressed.If you check your Event Viewer logs today and see entries like Event ID 1008 for the MSExchange Mitigation Service complaining about exceptions when fetching mitigations, guess what? You’re in trouble.
The Experts’ Verdict: Move to the Cloud Now
David Shipley, a Canadian expert in security awareness, didn’t mince words: “Running your own Exchange Server is really a bad idea in 2025.” And he’s right. On-premises Exchange environments have been a battlefield rife with vulnerabilities and breaches, the most egregious of which range from ProxyLogon to ProxyShell exploits. These exploits exposed countless servers to malicious actors, including state-sponsored hacking groups like the well-documented Chinese-based group, Hafnium. Furthermore, the operational headaches of patching these servers, deploying hardware upgrades, and handling unexpected outages are reasons IT admins are pulling their hair out.Shipley went a step further, doubling down on his recommendation to move to Microsoft 365, the cloud-based alternative. Microsoft 365 automatically incorporates the latest fixes and changes without the need for admin intervention. In the eternal battle between cloud services and on-premises infrastructure, 2025 seems to be tipping overwhelmingly to the cloud.
But let’s be real: even Microsoft 365 isn’t entirely invulnerable. While it simplifies patch management and leaves much of the heavy lifting to Microsoft, security responsibility isn’t entirely outsourced. Thorough configurations, email security practices, and regular monitoring remain critical for safeguarding your cloud-based email service.
Why Some Organizations Are Still Lurking in 2013
Despite the eyebrow-raising caution, outdated versions like Exchange 2013 (yes, it still exists in some environments) stubbornly persist. Why? Experts point to a few reasons:- Cost-Cutting Measures
Upgrades—whether hardware or software—aren’t cheap. Organizations often delay them as long as possible, either for budgetary reasons or because they underestimate the risks of continuing with legacy software. - Fear of Downtime
Some believe migrating to the cloud or moving to a newer Exchange version will disrupt critical business operations or fail during the migration phase. Honestly, that’s like avoiding getting brakes fixed on your car because you don’t want to take it off the road for repairs—it doesn’t end well. - Legacy Systems
Many legacy systems are deeply integrated with older Exchange versions, making upgrading a daunting task with unpredictable consequences. It’s the IT equivalent of removing a Jenga block and hoping the structure doesn’t come crumbling down. - Lack of Expertise
Especially for smaller organizations, IT teams may not have the in-house expertise to execute an Exchange upgrade or manage a cloud migration.
History Rhymes: Exchange's Security Headaches
Exchange Server is no stranger to controversy. Let’s refresh our memory on a few incidents:- ProxyLogon (2021): An infamous set of vulnerabilities that allowed attackers to execute arbitrary code on vulnerable servers, leading to massive cybersecurity breaches across the globe.
- ProxyShell Chain: A triple-whammy of vulnerabilities used to bypass authentication and elevate privileges in Exchange environments.
Nonetheless, EEMS is only helpful if the server can communicate with OCS—something older Exchange systems can no longer do. Or, as Johannes Ullrich from the esteemed SANS Institute put it: “On-premises Exchange... should be considered a legacy product.”
Microsoft’s Push to the Cloud: Resistance is Futile?
Microsoft’s overarching goal is clear: push Exchange users toward cloud offerings like Microsoft 365. Fewer on-premises servers mean fewer headaches for everyone, from Microsoft to IT admins. But is the seemingly constant drumbeat of “cloud or bust” good for everyone?Here’s the breakdown:
The Cloud (Microsoft 365)
- Pros:
- Seamless automatic updates, eliminating most manual patching.
- Robust scalability and reduced reliance on internal IT teams.
- Advanced security and compliance tools built into the service.
- Cons:
- Ongoing subscription costs might exceed traditional licenses over time.
- Some organizations may face local data compliance issues preventing a full cloud migration.
- Cloud environments are still targeted by attacks, and misconfigurations can leave gaping vulnerabilities.
On-Premises Exchange
- Pros:
- Full control over data and configurations.
- Potentially lower costs for large, well-equipped organizations.
- Cons:
- Requires constant oversight, patching, and hardware investments.
- High-maintenance, leaving organizations vulnerable to exploits if mismanaged.
The Takeaway: Stop Procrastinating
Legacy infrastructure is a precarious foundation—it’s not “if” something will go wrong; it’s “when.” Experts like Shipley and Cressey highlight compelling reasons why moving to the cloud can improve security and operations, especially in a landscape where attackers only need one unpatched server to wreak havoc.Admins still dragging their feet on updates need to bite the bullet. If budget constraints are an issue, plan incremental upgrades or, at the very least, ensure your servers meet the minimum March 2023 standard. Skipping updates or ignoring Microsoft’s latest security advisories will only open the door wide for attackers.
As a parting thought: ask yourself, would you use an operating system from 2013? Probably not. So why take the risk with email servers that your employees rely on for critical communication?
For Exchange Admins:
- Check your Exchange version now! Ensure it meets or exceeds March 2023 Cumulative Updates or Security Updates.
- If errors like Event ID 1008 crop up, you’re already behind.
- Explore migration options to Microsoft 365 for long-term peace of mind.
Source: Computerworld Update Exchange Server or move to the cloud, say experts
Last edited:
