MS Exchange ProxyNotShell block implemented via iRules

Code is community submitted, community supported, and recognized as ‘Use At Your Own Risk’.

Short Description

MS Exchange ProxyNotShell block implemented via iRules

Problem solved by this Code Snippet

Microsoft has provided a way to block the ProxyNotShell attacks by using the URL rewrite rules on each exchange server. Ref - https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

But there is also an alternative way to block the ProxyNotShell attack by levaraging the iRules in F5. Since exchange servers are typically load balanced and if you use F5, requests would go thorough the dedicated F5 VIP for exchange server, the same logic can be applied as iRule to block bad requests across all the exchange servers without making any changes on the servers.

iRule in this repository when attached to the F5 load balancer VIP fronting exchange servers would drop any request matching the below regex ".autodiscover.json.@.powershell." This is similar to the URL rewrite rule applied to each exchange server but applied only at one place - the VIP fronting the exchange servers. Advantage of applying using iRule is :

1. The bad request would not even reach the exchange servers and rejected right at F5.
2. Any enhancement to the regex can be applied here and that would protect all the exchange servers immediately instead of potential change to the url rewrite rule on each exchange servers.

How to use this Code Snippet

Create a new iRule with the below code and attach to the virtual server for your front end exchange servers.
Please feel free to make changes as needed for your environment.

Code Snippet Meta Information

1. Version: 1.0
2. Coding Language: TCL

Full Code Snippet

Please see attached.