Three out of the five Five Eyes states – Australia, Canada and the US – have issued guidance to help end-user organisations secure their Microsoft Exchange Server instances, stemming in part from an emergency alert that the US Cybersecurity and Infrastructure Security Agency (CISA) issued in August concerning CVE-2025-53786, an elevation of privilege (EoP) flaw affecting all versions of the widely used product.
The document sets out a number of proactive prevention techniques to address threats and protect sensitive data and communications within on-premise Exchange Servers as part of hybrid environments, and CISA described it as a critical resource for users reliant on Microsoft Exchange.
Nick Anderson, executive assistant director of the agency’s Cybersecurity Division, said: “With the threat to Exchange servers remaining persistent, enforcing a prevention posture and adhering to these best practices is crucial for safeguarding our critical communication systems. This guidance empowers organisations to proactively mitigate threats, protect enterprise assets and ensure the resilience of their operations.
“Furthermore, CISA recommends that organisations evaluate the use of cloud-based email services instead of managing the complexities associated with hosting their own communication services. CISA provides secure baselines for these through our Secure Cloud Business Applications [SCuBA] programme.”
The guidebook outlines several steps admins need to take to optimise their Exchange security posture – many of them form basic elements of cyber security best practice, such as restricting access, implementing multifactor authentication (MFA), enforcing strict transport security configurations and mandating zero-trust principles.
It also emphasises that since Microsoft Exchange Server Subscription Edition (SE) is now the only supported on-premise version of Exchange – previous versions having fallen out of support on 14 October 2025 alongside Windows 10 – those that are running unsupported versions should migrate to SE or an alternative supported email server software or service.
Should that not be immediately possible, admins could consider isolating old Exchange Server instances in a dedicated network segment and only using them internally; if they must be used externally, admins could look into hiding them from public internet connections behind a separate and supported email security gateway intermediary.
“Securing Exchange servers is essential for maintaining the integrity and confidentiality of enterprise communications and functions,” wrote the guide’s authors.
“By adhering to the best practices outlined in this document, organisations can significantly reduce their risk from cyber threats. Continuously evaluating and hardening the cyber security posture of these communication servers is critical to staying ahead of evolving cyber threats and ensuring robust protection of Exchange as part of the operational core of many organisations.”
‘Devastating commentary’
A.J. Grotto, a former White House cyber policy lead during the Obama and first Trump administrations, and now at California’s Stanford University, said the publication was an unusual move that did not necessarily reflect well on Microsoft.
“Governments do not normally step in to provide detailed guidance on behalf of private companies on how to safely operate their products,” said Grotto. “The fact that a multilateral coalition of security and intelligence agencies felt obligated to produce something like this is a devastating commentary on Microsoft’s security posture.
“Microsoft gets away with its negligence because they have customers locked into their ecosystem – which gives Microsoft leverage to pass risk and expense along to their customers. It’s not a good look.”
