Exchange Server primarily uses a proprietary protocol called MAPI to talk to email clients, but subsequently added support for POP3, IMAP, and EAS.

In the on-premises form, customers purchase client access licenses (CALs); as SaaS, Microsoft charges a monthly service fee instead.

[6] In this scenario, the data can be regarded as a single point of failure, despite Microsoft's description of this set-up as a "Shared Nothing" model.

[7] This void has however been filled by ISVs and storage manufacturers, through "site resilience" solutions, such as geo-clustering and asynchronous data replication.

[8] Exchange Server 2007 introduces new cluster terminology and configurations that address the shortcomings of the previous "shared data model".

This type of cluster can be inexpensive and deployed in one, or "stretched" across two data centers for protection against site-wide failures such as natural disasters.

It is designed to allow for data replication to an alternative drive attached to the same system and is intended to provide protection against local storage failures.

This service pack includes an additional high-availability feature called SCR (Standby Continuous Replication).

Clients capable of using the proprietary features of Exchange Server include Evolution,[14] Hiri and Microsoft Outlook.

E-mail hosted on an Exchange Server can also be accessed using POP3, and IMAP4 protocols, using clients such as Windows Live Mail, Mozilla Thunderbird, and Lotus Notes.

It was discontinued because of the move to email standards such as SMTP, IMAP, and POP3, all of which Outlook Express supports better than Windows Messaging.

[23] Hybrid implementations are popular for organizations that are unsure of the need or urgency to do a full transition to Exchange Online, and also allows for staggered email migration.

Hybrid tools can cover the main stack of Microsoft Exchange, Lync, SharePoint, Windows, and Active Directory servers, in addition to using replica data to report cloud user experience.

In February 2020, an ASP.NET vulnerability was discovered and exploited relying on a default setting allowing attackers to run arbitrary code with system privileges, only requiring a connection to the server as well as being logged into any user account which can be done through credential stuffing.

[26][27] The exploit relied on all versions of Microsoft Exchange using the same static validation key to decrypt, encrypt, and validate the 'View State' by default on all installations of the software and all versions of it, where the View State is used to temporarily preserve changes to an individual page as information is sent to the server.

[26][27] When logged in as any user, any .ASPX page is then loaded, and by requesting both the session ID of the user login and the correct View State directly from the server, this correct View State can be deserialised and then modified to also include arbitrary code and then be falsely verified by the attacker.

[26][27] In July 2020, Positive Technologies published research explaining how hackers can attack Microsoft Exchange Server without exploiting any vulnerabilities.

[28] It was voted into Top 10 web hacking techniques of 2020 according to PortSwigger Ltd.[29] In 2021, critical zero-day exploits were discovered in Microsoft Exchange Server.

The attack affected the email systems of an estimated 250,000 global customers, including state and local governments, policy think tanks, academic institutions, infectious disease researchers and businesses such as law firms and defense contractors.

[33] In a separate incident, an ongoing brute-force campaign from mid-2019 to the present (July 2021)[needs update], attributed by British and American (NSA, FBI, CISA) security agencies to the GRU, uses/used publicly known Exchange vulnerabilities, as well as already-obtained account credentials and other methods, to infiltrate networks and steal data.