Microsoft Exchange Introduces Warning for Emails Exploiting Spoofing Flaw

November 12, 2024

Microsoft has recently brought to light a high-severity vulnerability in its Exchange Server that can enable attackers to impersonate legitimate senders in incoming emails, thereby increasing the efficacy of malicious messages. This security flaw, known as CVE-2024-49040, affects Exchange Server 2016 and 2019. The flaw was first discovered by Vsevolod Kokorin, a security researcher at Solidlab, who reported it to Microsoft earlier this year.

According to Kokorin, SMTP servers parse the recipient address in different ways, leading to email spoofing. He also found that some email providers allow the use of symbols such as '<' and '>' in group names, which is not in compliance with RFC standards. He further stated, 'During my research, I did not find a single mail provider that correctly parses the 'From' field according to RFC standards.'

Microsoft has also issued a warning that this flaw could be exploited in spoofing attacks targeting Exchange servers. To mitigate this, the company has released several updates as part of this month's Patch Tuesday. These updates are designed to detect exploitation and add warning banners to suspicious emails.

The vulnerability is a result of the current implementation of the P2 FROM header verification, which takes place in transport. The existing implementation allows some non-RFC 5322 compliant P2 FROM headers to pass, potentially causing the email client (such as Microsoft Outlook) to display a forged sender as legitimate.

While Microsoft has not yet patched the vulnerability, it has announced that Exchange servers will now detect and add a warning to malicious emails after the installation of the Exchange Server November 2024 Security Update (SU). Exploitation detection and email warnings for CVE-2024-49040 will be enabled by default on all systems where admins enable secure by default settings.

Updated Exchange servers will also add a warning to the body of any emails detected as having a forged sender and an X-MS-Exchange-P2FromRegexMatch header to allow admins to reject phishing emails attempting to exploit this flaw using custom mail flow rules. The warning reads, 'Notice: This email appears to be suspicious. Do not trust the information, links, or attachments in this email without verifying the source through a trusted method.'

While it is possible to disable this new security feature using a PowerShell command, Microsoft strongly recommends keeping the feature enabled to prevent phishing attacks against organizations.

Latest News

• End-of-Life D-Link NAS Devices Under Attack Due to Critical Bug
• OvrC Cloud Platform Flaws Open IoT Devices to Remote Attacks and Code Execution
• Amazon Employee Data Exposed in Third-Party MOVEit Breach
• Most Exploited Cybersecurity Vulnerabilities of 2023 Revealed by FBI, CISA, and NSA
• Emerging Remcos RAT Targets Microsoft Users: Full Device Takeover Threat