Blog

CISA and NSA Release New Security Blueprint for Microsoft Exchange — What It Means for Your Organization

On October 31, 2025, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and several international partners released a new security blueprint for hardening Microsoft Exchange servers.

This release isn’t just another best-practice document—it’s a wake-up call for organizations still hosting or maintaining on-prem Exchange environments. For those relying on hybrid email infrastructures, this guidance may be the difference between staying secure and becoming a headline.

At Critical Path Security, we’ve spent years helping organizations navigate complex Exchange, Microsoft 365, and hybrid configurations through our Secure Cloud Business Applications (SCuBA) assessments. This blueprint validates what we’ve been preaching: legacy Exchange environments are one of the most consistent entry points for attackers targeting both IT and OT environments.

Why This Blueprint Matters

Exchange has long been a favourite target of cyber threat actors. When compromised, it becomes a stepping stone—offering direct access to internal systems, cloud connectors, and even industrial control networks in some cases.
The new CISA/NSA guidance highlights a few critical actions every organization should take:

1. Retire Unsupported Versions

Microsoft will end support for older Exchange versions after October 14, 2025. Running outdated systems means running unpatched vulnerabilities—something no amount of firewalling can offset. If your organization is still hosting Exchange 2016 or earlier, it’s time to move.

2. Reduce the Attack Surface

CISA and NSA emphasize minimizing exposed services, restricting admin access, and separating administrative workstations. This is about reducing the number of ways an attacker can get in—or pivot once they’re inside.

3. Modernize Authentication and Encryption

The report recommends enabling Modern Authentication (OAuth 2.0/MFA), enforcing TLS for all mail transport, and eliminating legacy protocols such as NTLM and SMBv1.
It also stresses enabling the Exchange Emergency Mitigation Service (EMS)—a built-in mechanism to apply urgent mitigations when zero-day vulnerabilities are discovered.

4. Harden the Entire Stack

Exchange security isn’t limited to the mail server itself. Hardening must include:

  • The operating system underneath

  • Connected identity platforms (Active Directory, Azure AD, Entra ID)

  • The clients and browsers accessing it

  • The network layers that support and expose it

Our SCuBA process audits each of these elements to provide end-to-end assurance—from host configuration to email routing integrity.

How This Ties Into SCuBA

CISA’s SCuBA initiative was designed to help agencies and enterprises secure their cloud and business applications through standardized baselines and automated assessments.

At Critical Path Security, we’ve extended SCuBA beyond federal systems. Our daily assessments for Microsoft 365, Exchange, and Entra environments already map to these CISA and NSA recommendations—identifying drift, enforcing hardening policies, and alerting on configuration risks before they’re exploited.

With the release of this new Exchange hardening blueprint, our platform and audit processes will now include:

  • Verification of EMS and Modern Auth configuration

  • TLS version enforcement

  • Detection of legacy protocols and authentication methods

  • Version compliance with Microsoft’s supported lifecycle

  • Evidence-based reporting mapped to NIST CSF and SCuBA standards

Our Take

The timing of this blueprint couldn’t be more critical.
We continue to see breaches stemming from unpatched or forgotten Exchange systems—many sitting just outside the SOC’s field of view. These systems often carry administrative privileges, cached credentials, and visibility into broader infrastructure.

Hardening isn’t optional—it’s survival.

Whether you’re operating Exchange on-prem, in hybrid mode, or planning a migration to Microsoft 365, our team can help you assess exposure, apply mitigations, and build resilience against future threats.

Next Steps

  • Review your current Exchange deployment.

  • Confirm version support and enable the Emergency Mitigation Service.

  • Conduct a SCuBA assessment or contact our team for a full audit of your Microsoft environment.

Critical Path Security provides continuous compliance and active defense for organizations across manufacturing, utilities, and public sectors.

If you’d like help mapping your Microsoft infrastructure to the new CISA and NSA recommendations, contact us at www.criticalpathsecurity.com.