Three of the five Five Eyes states—Australia, Canada, and the United States—have released guidance to help end-user organizations protect their instances of Microsoft Exchange Server. emergency notification The US Cybersecurity and Infrastructure Security Agency (CISA) published in August regarding CVE-2025-53786An escalation of privilege (EoP) vulnerability affecting all versions of a widely used product.
Document establishes a range of proactive prevention techniques to mitigate threats and protect sensitive data and communications on on-premises Exchange servers in hybrid environments, and has been designated by CISA as a critical resource for users dependent on Microsoft Exchange.
Nick Anderson, executive assistant director of the agency's cybersecurity division, said, “As the threat to Exchange servers remains persistent, ensuring preventative measures and adherence to these best practices are critical to protecting our critical communications systems. This guidance empowers organizations to proactively mitigate threats, protect corporate assets and ensure the resilience of their operations.”
“Furthermore, CISA encourages organizations to evaluate the use of cloud email services rather than dealing with the complexities associated with hosting their own communications services. CISA provides a secure baseline for these through our Secure cloud business applications [SCuBA] program”.
The guide describes several steps administrators can take to optimize their Exchange security. Many of these form the basic elements of cybersecurity best practices, such as restricting access, implementing multi-factor authentication (MFA), maintaining strict transport security configurations, and adhering to zero trust principles.
It also highlights that since Microsoft Exchange Server Subscription Edition (SE) is now the only supported on-premises version of Exchange (previous versions ended support on October 14, 2025 with Windows 10), those using unsupported versions should upgrade to SE or an alternative supported mail server software or service.
If this is not immediately possible, administrators may consider isolating older Exchange Server instances on a dedicated network segment and using them only internally; if they need to be used externally, administrators may consider hiding them from public Internet connections behind a separate and brokered email security gateway.
“Securing Exchange servers is essential to maintaining the integrity and confidentiality of enterprise communications and functions,” the guide's authors write.
“By adhering to the best practices outlined in this document, organizations can significantly reduce the risk of cyber threats. Continuously assessing and strengthening the cybersecurity of these communications servers is critical to staying ahead of evolving cyber threats and ensuring Exchange is securely protected as part of many organizations' operating system.”
“Devastating Comment”
AJ Grotto, a former White House cyber policy director during the Obama and first Trump administrations and now at California's Stanford University, said the publication was an unusual move that did not necessarily reflect well on Microsoft.
“Governments generally do not intervene to provide detailed guidance on behalf of private companies on how to safely use their products,” Grotto said. “The fact that a multilateral coalition of security and intelligence agencies felt compelled to create something like this is a devastating commentary on Microsoft's security posture.
“Microsoft gets away with its negligence because customers are tied to their ecosystem, which gives Microsoft the ability to shift risks and costs to its customers. It doesn't look good.”
