Microsoft has uncovered a critical Exchange Server vulnerability that enables attackers to fake legitimate senders on inbound emails, making harmful communications far more effective.
The vulnerability (CVE-2024-49040) affects Exchange Server 2016 and 2019, and was found by Solidlab security researcher Vsevolod Kokorin, who reported it to Microsoft earlier this year.
"The problem is that SMTP servers parse the recipient address differently, which leads to email spoofing," Kokorin explained in a May study.
"Another issue I discovered is that some email providers allow the use of the symbols < and > in group names, which does not comply with RFC standards."
"During my research, I did not find a single mail provider that correctly parses the 'From' field according to RFC standards," stated the researcher.
CVE-2024-49040 email spoofing (Vsevolod Kokorin)Microsoft also warned today that the issue may be used in spoofing attacks against Exchange servers, and it deployed multiple patches during this month's Patch Tuesday to include exploitation detection and warning banners.
"The vulnerability is caused by the current implementation of the P2 FROM header verification, which happens in transport," the software company said.
"The current implementation allows some non-RFC 5322 compliant P2 FROM headers to pass which can lead to the email client (for example, Microsoft Outlook) displaying a forged sender as if it were legitimate."
Exchange servers now advise against exploitation.
While Microsoft has not addressed the vulnerability and will continue to accept emails with these incorrect headers, the company says Exchange servers will now detect and warn about fraudulent emails after downloading the Exchange Server November 2024 Security Update (SU).
CVE-2024-49040 exploitation detection and email warnings will be enabled by default on all systems where the administrator has activated secure by default settings.
Up-to-date Exchange servers will also add a warning to the body of any emails it detects as having a forged sender, as well as an X-MS-Exchange-P2FromRegexMatch header, allowing administrators to reject phishing emails that seek to exploit this weakness using custom mail flow rules.
"Notice: This email appears to be questionable. The warning reads: "Do not trust the information, links, or attachments in this email without first verifying the source using a trusted method."
Suspicious message disclaimer (Microsoft)While it is not recommended, the business supplies the following PowerShell command for individuals who still want to disable this new security feature (executed from an elevated Exchange Management Shell):
The vulnerability (CVE-2024-49040) affects Exchange Server 2016 and 2019, and was found by Solidlab security researcher Vsevolod Kokorin, who reported it to Microsoft earlier this year.
"The problem is that SMTP servers parse the recipient address differently, which leads to email spoofing," Kokorin explained in a May study.
"Another issue I discovered is that some email providers allow the use of the symbols < and > in group names, which does not comply with RFC standards."
"During my research, I did not find a single mail provider that correctly parses the 'From' field according to RFC standards," stated the researcher.
CVE-2024-49040 email spoofing (Vsevolod Kokorin)
"The vulnerability is caused by the current implementation of the P2 FROM header verification, which happens in transport," the software company said.
"The current implementation allows some non-RFC 5322 compliant P2 FROM headers to pass which can lead to the email client (for example, Microsoft Outlook) displaying a forged sender as if it were legitimate."
Exchange servers now advise against exploitation.
While Microsoft has not addressed the vulnerability and will continue to accept emails with these incorrect headers, the company says Exchange servers will now detect and warn about fraudulent emails after downloading the Exchange Server November 2024 Security Update (SU).
CVE-2024-49040 exploitation detection and email warnings will be enabled by default on all systems where the administrator has activated secure by default settings.
Up-to-date Exchange servers will also add a warning to the body of any emails it detects as having a forged sender, as well as an X-MS-Exchange-P2FromRegexMatch header, allowing administrators to reject phishing emails that seek to exploit this weakness using custom mail flow rules.
"Notice: This email appears to be questionable. The warning reads: "Do not trust the information, links, or attachments in this email without first verifying the source using a trusted method."
Suspicious message disclaimer (Microsoft)
"Although it's possible to disable the feature using New-SettingOverride, we strongly recommend you leave the feature enabled, as disabling the feature makes it easier for bad actors to run phishing attacks against your organization," according to Redmond.