If your team still runs Microsoft Exchange Server, treat this as a fire alarm.
Four major cybersecurity agencies released guidance that exposes the reality behind Exchange attacks. The Australian Cyber Security Centre has warned that Exchange environments face continuous targeting and should be considered under imminent threat. Microsoft ended support for previous Exchange versions on October 14, which leaves countless organizations exposed to exploitation.
On top of that, a critical Windows Server Update Service issue triggered emergency patches after active exploitation attempts struck multiple organizations, according to the US Cybersecurity and Infrastructure Security Agency.
Statistics behind the attacks
The numbers are ugly, and they are not abstract. Microsoft Exchange Server appears 16 times on CISA’s known exploited vulnerabilities catalog since 2021, with 12 of those vulnerabilities actively deployed in ransomware campaigns. Nation-state attackers and cybercriminals swarm these systems, which turns them into prime real estate for sophisticated attacks.
Companies running unsupported Exchange versions now face unprecedented compromise risks. Microsoft Exchange Server Subscription Edition stands as the sole supported on-premises version after support for previous versions ended on October 14. Threat intelligence analysts emphasize that end-of-life environments operate at heightened risk of compromise, easy entry points that attackers actively exploit.
Four-nation security collaboration
The NSA, CISA, Australia’s Cyber Security Centre, and Canada’s Cyber Centre jointly released comprehensive security practices for Exchange hardening. An unusual level of coordination, and a clear sign of how serious the threat has become.
The guidance zeroes in on three defense pillars, strengthening user authentication with multi-factor implementation, ensuring robust network encryption through TLS configurations, and reducing application attack surfaces. It is not tied to a single zero-day or headline bug. Instead, CISA’s executive assistant director underscored that organizations face constant threats that demand immediate action.
This blueprint builds upon CISA’s Emergency Directive 25-02 and recommends proactive prevention techniques to counter cyber threats head-on, with a particular focus on protecting sensitive information and communications within on-premises Exchange Servers as part of hybrid Exchange environments.
Words on WSUS
IT teams are scrambling after a critical Windows Server Update Service vulnerability, tracked as CVE-2025-59287, sparked widespread exploitation attempts in recent weeks. The situation escalated when Microsoft’s initial patch in mid-October failed completely, which forced an emergency out-of-band security update late last week.
Threat analysts report that attackers breached systems, conducted reconnaissance, and exfiltrated sensitive data from multiple organizations. Google’s Threat Intelligence Group is investigating attacks across numerous organizations, while specialists at Eye Security suspect multiple threat groups are coordinating these campaigns.
Activity tapered quickly, but not before several organizations suffered serious compromise. CISA issued updated guidance that urges security teams to treat the threat with maximum urgency, including specific PowerShell commands to check whether WSUS is installed and to identify servers exposed via TCP ports 8530 and 8531.
Next steps
Put that coffee down and move now. Security professionals emphasize that applying Microsoft’s emergency patch and implementing the agencies’ recommendations can be the difference between protection and compromise.
CISA strongly advises evaluating cloud-based email services instead of managing complex on-premises communication infrastructure. The most effective defense requires ensuring all Exchange servers run the latest versions with current cumulative update patches.
IT teams should immediately decommission end-of-life Exchange servers in hybrid environments, as keeping outdated servers dramatically increases security breach risks. CISA emphasizes that maintaining just one last Exchange server that is not kept up to date can expose entire organizations to attacks.
Last week, the Azure cloud computing platform took down a long list of services from Xbox Live and Microsoft 365 to critical systems for airlines and banks.
