Microsoft Exchange Misconfigurations Open New Doors for Email Spoofing Attacks – Here’s How It Works
A new report from the Acronis Threat Research Unit has discovered a vulnerability in Microsoft Exchange Online settings that could allow email spoofing attacks.
This issue primarily affects users with a hybrid configuration of on-premises Exchange and Exchange Online, and users who use third-party email security solutions.
In July 2023, Microsoft introduced a major change to the way it handles DMARC (Domain-based Message Authentication, Reporting, and Conformance) within Microsoft Exchange. This update was intended to improve security by improving the way email servers verify the legitimacy of incoming emails. Unfortunately, a significant number of users have not implemented these security measures despite clear guidance from Microsoft, leaving their systems vulnerable to various cyber threats, most notably email spoofing.
How Misconfiguration Leads to Vulnerabilities
Microsoft Exchange Online can be used as a mail server without the need for on-premises Exchange servers or third-party anti-spam solutions. However, vulnerabilities arise when Exchange Online is used in hybrid environments – where on-premises Exchange servers communicate with Exchange Online via connectors – or when a third-party MX server is involved.
E-mail remains a prime target for cybercriminals, which is why robust security protocols are essential to protect against spoofing. Three crucial protocols have been developed for this purpose: Sender Policy Framework (SPF) checks whether a mail server is authorized to send email on behalf of a domain using DNS records; DomainKeys Identified Mail (DKIM) enables digital signing of emails, verifying that they come from an authorized server and confirming the domain authenticity of the sender; and Domain-based Message Authentication, Reporting, and Conformance (DMARC) determines how to handle emails that fail SPF or DKIM checks, specifying actions such as rejection or quarantine to enhance email security.
To understand how email security protocols work together, consider a typical email flow: Server A initiates a DNS query to locate the recipient domain’s Mail Exchange (MX) server (for example, ourcompany.com) and then sends an email from “user@company.com” to “user2@ourcompany.com” via one of its MX servers (Server B). Server B then authenticates the email by checking that it comes from an authorized server (SPF verification), ensuring the presence of a valid DKIM signature, and performing the actions specified by the domain’s DMARC policy. If Server A is not in the SPF records, does not have a valid DKIM signature, or the DMARC policy is set to “Reject,” Server B should reject the email. However, if the receiving server is misconfigured, these security checks can be bypassed, allowing the email to be delivered and posing a significant security risk.
In a hybrid environment, the Exchange Hybrid Setup wizard typically creates default inbound and outbound connectors to facilitate data exchange between Exchange Online and on-premises Exchange servers. However, misconfigurations can still occur, especially if administrators are unaware of the potential risks or do not lock down their Exchange Online organization to only accept email from trusted sources.
Inbound connectors play a critical role in determining how incoming emails are processed by the Exchange server. In hybrid environments, administrators must ensure that the appropriate connectors are present and configured correctly. This includes creating a Partner connector with specific IP addresses or certificates to ensure that only emails from trusted sources are accepted. Without these protections, misconfigured inbound connectors can allow malicious emails to bypass security controls, leading to potential compromise.
When using a third-party MX server, it is essential to configure the Exchange Online instance according to Microsoft RecommendationsFailure to do so could expose the organization to spoofing attacks as emails could bypass important security controls such as DMARC, SPF, and DKIM.
For example, if the tenant recipient domain’s MX record points to a third-party email security solution instead of Microsoft’s, DMARC policies will not be enforced. As a result, emails from unauthenticated sources may be delivered, increasing the risk of phishing and spoofing attacks.
To protect against email spoofing and its associated risks, administrators should harden their Exchange environment by taking the following key steps:
- Create additional inbound connectors following Microsoft guidelines to restrict incoming emails to trusted sources.
- Implement enhanced filtering for connectors to apply additional security checks.
- Implement Data Loss Prevention (DLP) and transport rules to prevent unauthorized emails and protect sensitive information.
- Perform regular security audits to ensure that Exchange server configurations comply with the latest security practices.