You’ve got mail: How to secure your Microsoft Exchange server

When in late 2025, the Cybersecurity & Infrastructure Security Agency (CISA) and the National Security Agency (NSA), in collaboration with international cybersecurity partners, created a best practice guide for Microsoft Exchange server security, an ever-so-relevant question arose: Why now?

Because Exchange servers are used widely and are persistently being threatened, the guide says. Sure, but so are endpoints in general. 

OK, then what about Exchange’s end-of-life (EOL) versions being at a heightened risk of compromise? Like any other EOL product, you mean? 

It’s always a good idea to proactively mitigate risk! Of course, but isn’t that a widely accepted cybersecurity standard? 

You get the idea.

So, are best practices inherently a cliché, mundane tracts on known measures, or is there more to them? Let’s see.

Why Microsoft Exchange server security is critical right now

The 2025 Microsoft Exchange Server Security Best Practices guide demands to be taken seriously, and for good reason. 

We have written about server security before, mostly about how on-prem servers still have a place within organizational environments due to their data control, speed, and integration-enabling aspects. However, on-prem isn’t without its faults, with the Exchange server attack saga in 2021 and the ToolShell vulnerability in July 2025 demonstrating a case for bespoke server security. The same goes for third-party cloud options, for which the risk gets higher due to supply chain security considerations.

All in all, the NSA best practice guide’s seemingly sensational declaration of how “Exchange servers should be considered under imminent threat” becomes less exaggerated the more one learns about the server threat landscape.

Email clients and servers are ideal anchor points for initial access, after which privilege escalation is just a matter of a few internal spearphishing emails. Following this, the result of a compromise then depends on what the attacker’s end goal is: to spread ransomware, install spyware, or something else. 

Key takeaways from the 2025 Exchange server best practice guide

So just how useful is the best practice guide in steering email server security? Let’s tackle its parts one by one.

Prevention and patch management come first

Prevention is a no-brainer; it’s really the perfect approach to shore up company resilience. The guide recommends it first, emphasizing foundational principles enshrined in zero trust, timely patching, and attack surface minimization.

The top mitigating measure is, as always, timely patching. All Exchange servers should be running the latest versions, as delays compound the risks of exploitation through known vulnerabilities (like ToolShell). Microsoft supports security via biannual cumulative updates and monthly security hotfixes or interim mitigations—which through Microsoft’s Emergency Mitigation Service can be deployed automatically, so it’s good to have it enabled.

Alongside this, be mindful of product EOL, both for Exchange and email clients in use.

The role of layered security in Exchange environments

The best practice guide continues to detail how security baselines—at ESET, we call them layers—help maintain consistent security configuration across an organization’s network. In different terms, your email server and clients and the OS they’re running on all require specific holistic measures to heighten overall resilience. By having an overall resilience baseline, admins can more easily point out deviations for firmer control over the attack surface.

Interestingly, the guide implies that third-party endpoint protection, including an endpoint detection and response (EDR) solution, might work the best, since such tools can provide better visibility, detection, and protection capabilities to defend Exchange servers and Windows servers from advanced cyber threats, which regular anti-malware tools aren’t capable of.

However, the guide also recommends a combination of third-party and built-in features (like Antimalware Scan Interface or App Control) for a more in-depth approach.

Harden authentication and encryption for Exchange

Following prevention, the next section of the guide is more or less about zero trust and encryption. We can divide it into two parts: (1) features functionalities and (2) strategic measures.

Feature functionalities

• Transport Layer Security (TLS) encryption: This handy tool enhances data integrity and prevents techniques such as replay, data tampering, or impersonation.
• Extended protection: This provides additional authentication defenses against adversary-in-the-middle (AitM) attacks, relay, and forwarding techniques matching credentials with TLS sessions.
• Certificate-based signing of PowerShell serialization: Enabling certificate-based signing provides protection from unauthorized serialization payload manipulations. Moreover, admins should also disable PowerShell access by users to reduce an Exchange server’s attack surface. 

In fact, solutions like ESET Mail Security have PowerShell access for users disabled by default, except for admin accounts that require it to manage Exchange.

• HTTP Strict Transport Security (HSTS): HSTS is an HTTP response header that directs a browser to only connect to the server using HTTPS for a specified amount of time, mitigating several AitM techniques.
• Download Domains: With Download Domains configured, malicious cyber actors cannot steal the authentication cookies set by browsers because the new session does not have access to the authentication cookie for Outlook on the Web.
• P2 FROM header manipulation detection: Exchange can detect this malicious technique and counter it by adding a phishing notification and an X-MS-Exchange-P2FromRegexMatch header within emails by default.

Strategic measures

• Multifactor authentication: Secure authentication isn’t difficult, and its use for Exchange security is relevant as an additional security layer.
• Role management and split permissions: These are the Role-Based Access Controls within Exchange, which manage user privileges, with the principle of least privilege working as the most appropriate model.
• Kerberos and Server Message Block (SMB) instead of New Technology LAN Manager (NTLM): Organizations should migrate from legacy protocols like NTLM to secure ones (like Kerberos) to ensure trusted mail exchange.

How to apply Exchange security best practices in practice

It’s a lot to take in. But barring the more technical details, the three main ideas from the guide remain true: 

1. Prevention is critical.
2. Security only works when each layer is secured separately.
3. Zero-trust considerations minimize the role of the human factor.

While taking a holistic view of Exchange server infrastructure, the above should jump out at a security-minded admin immediately. If not, then perhaps the security management console in use is lacking, since any basic XDR-equipped security platform should be able to point out at least some vulnerability factors.

For example, ESET PROTECT includes a multitude of modules that tackle email communication. Specifically for Exchange, it includes ESET Mail Security (EMSX), which protects both the host system and the mailbox, with further layers of protection for Microsoft 365 included as part of ESET Cloud Office Security.

Another thing to note are vulnerabilities. The Exchange server itself can have them, and missing notifications about updates won’t be a valid excuse when a cyber insurer inquires about why you let a known vulnerability lead to data exposure. 

Within ESET PROTECT, ESET Vulnerability and Patch Management is offered as an add-on module as well (or as part of a particular subscription tier), easily accessible from the main dashboard, giving admins more control over their patching habits. This solution is also compatible with EMSX for vulnerability management. 

Likewise, don’t forget about authentication. You really don’t want surreptitious activity to transpire behind an admin’s backs, especially when credential phishing is a constant within the threat landscape due to often-unmanageable human error. That’s one vulnerability you can’t patch automatically. Strong multifactor authentication (MFA) prevents unauthorized access even if credentials are compromised.

In this space, ESET Secure Authentication (ESA) seamlessly supports Outlook Web Access and the Exchange admin center. ESA provides an easy way for businesses of all sizes to implement MFA across commonly utilized systems, such as VPNs, Remote Desktop Protocol, Outlook Web Access, operating system logins, and more, to prevent data breaches and meet compliance requirements.

Lastly, promote full visibility via XDR. By integrating Exchange with an XDR solution, you can gain a deeper understanding of the email threat vector via ingested telemetry. This is a net positive for when you’d like to perform root cause analysis of an incident or see just how your email server is exposed. At the same time, XDR also enables faster response, preventing advanced attacks.

However, XDR could be difficult to manage for regular IT admins. In such cases, consider contracting with a Managed Service Provider (MSP) or a Managed Detection and Response (MDR) service for further support.

Next steps for securing Microsoft Exchange servers

Ultimately, those using Exchange as their main email server should regularly review their security posture. Get a complete view of your systems, explore your security layers, and use a trusted vendor like ESET for comprehensive protection to shore up your cyber resilience and compliance via a prevention-first approach.

Frequently Asked Questions (FAQ)

What’s the biggest risk to Exchange servers today?

Attackers consistently target Exchange for initial access, enabling privilege escalation and internal phishing, making it a high‑risk entry point.

How should you go about achieving a baseline of resilience for Microsoft Exchange?

Primarily, a prevention-first approach supported by robust vulnerability and patch management work the best. This can be managed in-app via Microsoft’s own cumulative updates, monthly security hotfixes, or interim measures for actively exploited vulnerabilities, as well as by keeping product EOL in check.

Is it enough to keep Microsoft Exchange patched?

No, security works best in layers. Vulnerabilities can arise anywhere within the wider Exchange ecosystem, which is why every single layer Exchange is involved in (endpoints, email clients, or operating systems) should be reinforced for stronger resilience. To ensure visibility and control over these layers, consider an EDR/XDR solution.

What other factors should be accounted for to protect Exchange?

You must divide your priorities based on strategic measures and the functionalities directly enabled by Exchange. Start with zero trust; by minimizing human-factor risks through MFA and role management, you can ensure that data is only seen and accessed by the appropriate users. Meanwhile, embedded Exchange functionalities like TLS encryption and extended protection can prevent specific attack techniques from getting the best of your employees.