#Microsoft and #Exchange starting off 2022 with a 💣as of 00:00UTC with freezing transport of all emails flowing through it On-Prem due to failure converting the new date... 🤦♂️. Solution is to disable the AntiMalware Scanning temporarily via Disable-Antimalwarescanning.ps1. 1/x
This is very bad because of the time this is happening and how many people are off for the holidays. Essentially any server that has this issue will defer all mail until this is rectified. H/T to @miketheitguy for the solution:
This is also confirmed from Microsoft here: docs.microsoft.com/en-us/archive/…. It works for 2016 and I am sure 2019 also. Once the script is run and the transport service restarted, all deferred emails will reprocess and be sent immediately provided you have no other problems. 3/x
The clock is ticking now on servers out there deferring email & hopefully not running out of storage and dropping things or expiring emails that keep getting deferred. Note this is only for On-Prem routed mail it seems and of course 365 is working correctly so it would seem. 4/x
Some organizations still point the MX to On-Prem via a hybrid Exchange box to route mail through separate 3rd party filtering/compliance systems via the "centralized mail transport" option. Therefore, this issue may be significant even if your organization is in the "cloud". 5/5
Bonus Content: Look for Application Event ID: 5300 Source: FIPFS as well as Event ID: 1106 from FIPFS. Additionally you may see cascading errors and timeouts from the MSExchange Antimalware service with Event IDs 3811 and 5801. Lastly you may see Event ID: 1050 from MExRuntime
According to additional research on this issue, this is happening because Microsoft is using a signed int32 for the date and the new date value of 2,201,010,001 is over the max value of "long" int32 being 2,147,483,647. @MSFTExchange - Not sure why it was structured this way??
It appears the first two numbers are the year in the int32 for some reason and the following numbers are month/day/time. Someone was not thinking ahead here. You can quickly patch exchange to use unsigned and we are good till 2043 and hopefully by then this can be structured diff
MS Office ActiveX CVE-2021-40444 summary:
🎯No macros needed - normal detections & mitigations fail.
🎯No word from MS on patch ETA
🎯Can in some cases be executed in Explorer Preview mode. (RTF older O365 client?) - h/t -