Microsoft has announced a significant security upgrade for Exchange Server and SharePoint Server through integration with the Windows Antimalware Scan Interface (AMSI), providing critical protection for these business-critical systems that are frequent targets for cyberattacks.
Exchange Server and SharePoint Server represent “crown jewels” for many organizations, making them prime targets for sophisticated threat actors.
The new AMSI integration offers an essential layer of defense by intercepting and preventing harmful web requests before they reach vulnerable backend endpoints.
.png
)
“This integration becomes especially important when attackers attempt to exploit security vulnerabilities, particularly zero-days,” Microsoft emphasized in their announcement.
“With AMSI integrated, these malicious attempts are detected and blocked in real-time, offering a critical defense mechanism while organizations work on installing official patches and updates.”
Advanced Technical Integration
The AMSI implementation functions as a security filter module within the Internet Information Services (IIS) pipeline, leveraging SPRequesterFilteringModule for SharePoint and HttpRequestFilteringModule for Exchange.
This architectural approach enables inspection of incoming HTTP requests at the onBeginRequest stage, before authentication and authorization phases occur.
When malicious activity is detected, the system automatically returns an HTTP 400 Bad Request response, effectively terminating the attack attempt before execution.
Enhanced Scanning Capabilities
Recent improvements have significantly expanded AMSI’s protective capabilities. While initial implementations only scanned request headers, newer versions now inspect complete request bodies as well.
This advancement proves crucial for detecting sophisticated attacks embedded within payload content rather than headers alone.
“These enhanced security controls are not enabled by default, making it crucial for organizations to assess for stronger protection,” Microsoft warned.
Protection Against Multiple Attack Vectors
The AMSI integration provides defense against numerous attack methodologies, including:
- Server-side request forgery (SSRF) exploits, such as CVE-2023-29357 and CVE-2022-41040
- Web shell deployments, including stealthy modifications like appending malicious code to legitimate files (e.g., signout.aspx)
- Exchange Web Services (EWS) abuse through suspicious SOAP operations.
- Insecure deserialization attacks targeting PowerShell application pools.
- Web control abuse exploiting vulnerabilities like CVE-2024-38094.
One detection example highlights how AMSI identified suspicious PowerShell activity:
This query helps security teams identify potential malicious processes executed by the IIS worker process.
Implementation Recommendations
Microsoft recommends organizations take immediate steps to activate AMSI protection:
- Update to SharePoint Server Subscription Edition Version 25H1 or Exchange Server November 2024 Security Update to enable body scanning capabilities.
- Apply all latest security updates to remediate known vulnerabilities.
- Enable cloud-delivered protection and automatic sample submission.
- Review privileged roles and restrict access following least-privilege principles.
- Prioritize alerts related to suspicious processes originating from application pools.
The enhanced AMSI integration is complemented by Microsoft’s broader security ecosystem, including Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and Microsoft Security Copilot, providing comprehensive threat detection across the environment.
“Keeping these servers safe from these advanced attacks is of utmost importance,” Microsoft advised in their security guidance, emphasizing the critical nature of these business systems and the sophisticated threats they continue to face.
