Microsoft announced on Friday that it had made additional improvements to the mitigation mechanism available to thwart exploitation efforts against the recently discovered unpatched security weaknesses in Exchange Server.

To that end, Microsoft updated the blocking rule in IIS Manager from “.*autodiscover.json.*Powershell.*” to “(?=.*autodiscover.json)(?=.*powershell).”

The new instructions for adding the URL Rewrite rule are listed below as per the Microsoft bulletin:

  1. Launch IIS Manager.
  2. Choose Default Web Site.
  3. Click URL Rewrite in the Feature View.
  4. Click Add Rule(s) on the right-hand side of the Actions pane.
  5. Click OK after selecting Request Blocking.
  6. Include the phrase “(?=.*autodiscover.json)(?=.*powershell)” (excluding quotes).
  7. Under Using, choose Regular Expression.
  8. Select Abort Request from the How to Block menu, then click OK.
  9. Expand the rule and choose the rule that contains the pattern: (?=.*autodiscover.json)(?=.*powershell) and select Edit from the Conditions menu.
  10. Change the URL condition entry to UrlDecode:REQUEST URI and then click OK.

Users can also achieve the required security measures by running the PowerShell-based Exchange On-premises Mitigation Tool (EOMTv2.ps1), which has been upgraded to account for the aforementioned URL pattern.

The actively exploited vulnerabilities, known as ProxyNotShell (CVE-2022-41040 and CVE-2022-41082), have yet to be fixed by Microsoft. However, with Patch Tuesday approaching, the wait may not be long.

If the weaknesses are successfully weaponized, an authorized attacker might use the two vulnerabilities to gain remote code execution on the underlying server.

The IT titan admitted this week that a single state-sponsored attacker could have exploited the vulnerabilities as early as August 2022 in limited, targeted attacks on fewer than ten organizations worldwide.

Update: Microsoft said over the weekend that it had made another change to the URL string – “(?=.*autodiscover)(?=.*powershell)” – which will be added to the blocking rule in IIS Manager to prevent exploitation attempts.

NEXT MASTERCLASS! AGENDA Thu, Oct 27, 2022 – 11:00AM

Sharing is Caring!

You are welcome to put this blog article on your website, provided you also append an active link to our website “Source: https://resources.rhyno.io”

For media enquiries, contact us at [email protected].


Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.


About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

This website uses cookies to improve your online experience. By continuing, we will assume that you are agreeing to our use of cookies. For more information, visit our Cookie Policy.

Privacy Preference Center