Microsoft has announced security enhancements for its on-premises server products, integrating Windows Antimalware Scan Interface (AMSI) with SharePoint Server and Exchange Server.
This integration provides critical protection for these business-critical assets, which are frequently targeted by sophisticated threat actors.
New Security Features Target Advanced Threats
The AMSI integration functions as a security filter module within the IIS pipeline, inspecting incoming HTTP requests before they reach application processing.
When malicious activity is detected, the system automatically returns an HTTP 400 Bad Request response, effectively blocking attacks before they can execute.
A key improvement in recent releases is the extension of scanning capabilities to include request bodies, not just headers.
This enhancement is available in SharePoint Server Subscription Edition Version 25H1 and Exchange Server November 2024 Security Update.
“With AMSI integrated, malicious attempts are detected and blocked in real-time, offering a critical defense mechanism while organizations work on installing official patches and updates,” noted Microsoft in their announcement.
Common Attack Vectors Targeting Exchange and SharePoint
Security researchers have documented several sophisticated attack methods used against these platforms:
textDeviceProcessEvents
| where InitiatingProcessFileName == 'w3wp.exe'
| where InitiatingProcessCommandLine contains "MSExchange" or InitiatingProcessCommandLine contains "SharePoint"
| where FileName !in~ ("csc.exe","cvtres.exe","conhost.exe","OleConverter.exe")
| project FileName, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp
This hunting query helps identify suspicious processes executed by the IIS worker process, a common indicator of compromise.
In one documented attack, threat actors exploited CVE-2023-29357, a critical authentication bypass vulnerability in SharePoint Server, by spoofing X-PROOF_TOKEN and Authorization headers.
Similarly, Exchange Server’s Autodiscover functionality has been abused through CVE-2022-41040, allowing attackers to trigger backend functionality that normally requires authentication.
Risk Factor Analysis
| Risk Factor | Description | Mitigation |
|---|---|---|
| SSRF Exploitation | Unauthorized requests leading to privilege escalation and RCE. | Enable AMSI and apply security updates. |
| NTLM Relay Attacks | Credential leakage and account compromise via NTLM authentication. | Follow Microsoft’s NTLM relay attack mitigation guidance. |
| Web Shell Deployment | Stealthy backdoor creation and persistence through web shells. | Monitor and investigate suspicious .aspx file interactions. |
| EWS Abuse | Mailbox exfiltration and sensitive data theft using EWS APIs. | Enable AMSI request body scanning and monitor EWS traffic. |
| Insecure Deserialization | Execution of system-level commands via crafted PowerShell requests. | Inspect PowerShell commands and arguments for anomalies. |
| Web Control Abuse | Arbitrary code execution through malicious BDCMetadata.bdcm files. | Restrict site owner privileges and validate BDCMetadata.bdcm files. |
Protection Recommendations
Microsoft recommends that organizations implement multiple layers of protection:
- Activate AMSI on the Exchange Server and SharePoint Server, enabling request body scanning1
- Apply the latest security updates immediately
- Keep antivirus and other protections enabled, with cloud-delivered protection and automatic sample submission
- Review sensitive roles and groups regularly for suspicious additions1
- Restrict access using the principle of least-privilege and credential hygiene1
- Prioritize alerts related to suspicious processes like net.exe, cmd.exe, and powershell.exe originating from application pools
Microsoft Defender XDR customers can leverage specialized detections for SharePoint Server threats (Exploit:Script/SPLobSystemRCE.A, Exploit:Script/SPLobSystemRCE.B) and Exchange Server threats (Exploit:Script/SuspMailboxSearchEWS.A, Exploit:Script/ExchgProxyRequest).
Organizations using Microsoft Sentinel can implement specialized hunting queries to identify suspicious activities and potential compromises through TI Mapping analytics and predefined detection rules.
These enhancements represent Microsoft’s ongoing commitment to securing on-premises server infrastructure against increasingly sophisticated cyber threats targeting these high-value business assets.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=This integration provides critical protection for these business-critical assets, which are frequently targeted by sophisticated threat actors.){kind=link}