Microsoft has added a major security upgrade to Exchange Server and SharePoint Server by integrating them with Windows Antimalware Scan Interface (AMSI). This helps protect these important systems, which are often targeted by cyberattacks.
Exchange Server and SharePoint Server are key systems for many organizations, making them attractive targets for advanced hackers.
The new AMSI feature helps stop harmful web requests before they can reach and harm the servers.
Microsoft highlighted that this integration is crucial for blocking zero-day attacks. With AMSI, threats are detected and stopped in real-time, giving protection while patches are being applied.
Advanced Technical Integration
AMSI works as a security filter inside the IIS pipeline, using SPRequesterFilteringModule for SharePoint and HttpRequestFilteringModule for Exchange. This setup lets it scan incoming HTTP requests early, before any authentication or authorization happens.
If it finds something harmful, it immediately blocks the request and returns an HTTP 400 Bad Request response—stopping the attack before it can run.
AMSI has been improved to scan full request bodies, not just headers, making it better at catching advanced attacks.
However, Microsoft warns these stronger protections aren’t turned on by default, so organizations should enable them for better security.
Protection Against Multiple Attack Methods
The AMSI integration helps block several types of cyberattacks, including:
- SSRF attacks, like CVE-2023-29357 and CVE-2022-41040
- Web shell uploads, where attackers hide malicious code in normal files (e.g., signout.aspx)
- Exchange Web Services (EWS) abuse, using suspicious SOAP requests
- Insecure deserialization, targeting PowerShell application pools
- Web control exploits, such as CVE-2024-38094
For example, AMSI can detect unusual PowerShell activity triggered by the IIS worker process—helping security teams spot possible threats early.
Microsoft urges organizations to take the following steps to strengthen AMSI protection:
- Upgrade to SharePoint Server Subscription Edition (25H1) or install the Exchange Server November 2024 update to enable full request body scanning
- Apply the latest security updates to fix known vulnerabilities
- Turn on cloud-delivered protection and automatic sample submission in antivirus settings
- Limit privileged access using the least-privilege model
- Watch for alerts linked to suspicious activity from app pools
Microsoft also recommends using AMSI alongside tools like Microsoft Defender Antivirus, Defender for Endpoint, and Security Copilot for more complete protection.
“Protecting these critical servers from advanced attacks is essential,” Microsoft said in its latest security guidance.
Leave A Comment