A new report from the Acronis Threat Research Unit has uncovered a vulnerability in Microsoft Exchange Online settings that could enable email spoofing attacks.
This issue primarily affects users with a hybrid configuration of on-premises Exchange and Exchange Online, and those utilizing third-party email security solutions.
In July 2023, Microsoft introduced a major change in how it handles DMARC (Domain-based Message Authentication, Reporting, and Conformance) within Microsoft Exchange. This update was intended to bolster security by enhancing how email servers verify incoming emails’ legitimacy. Unfortunately, despite clear guidance from Microsoft, a considerable number of users have yet to implement these security measures, leaving their systems vulnerable to various cyber threats, particularly email spoofing.
How misconfiguration leads to vulnerabilities
Microsoft Exchange Online can be used as a mail server without the need for on-premises Exchange servers or third-party anti-spam solutions. However, vulnerabilities arise when Exchange Online is used in hybrid environments – where on-premises Exchange servers communicate with Exchange Online via connectors – or when a third-party MX server is involved.
Email remains a key target for cybercriminals, and this is why robust security protocols are essential to protect against spoofing. Three critical protocols have been developed for this purpose: Sender Policy Framework (SPF) checks whether a mail server is authorized to send email on behalf of a domain using DNS records; DomainKeys Identified Mail (DKIM) allows emails to be digitally signed, verifying that they originate from an authorized server and confirming the sender’s domain authenticity; and Domain-based Message Authentication, Reporting, and Conformance (DMARC) determines how emails that fail SPF or DKIM checks should be handled, specifying actions like rejection or quarantine to enhance email security.
To understand how email security protocols work together, consider a typical email flow: Server A initiates a DNS request to locate the Mail Exchange (MX) server of the recipient’s domain (e.g., ourcompany.com), then sends an email from “user@company.com” to “user2@ourcompany.com” via one of the MX servers (Server B). Server B then verifies the email by checking if it originates from an authorized server (SPF verification), ensuring the presence of a valid DKIM signature, and following the actions specified by the domain’s DMARC policy. If Server A is not listed in the SPF records, lacks a valid DKIM signature, or if the DMARC policy is set to “Reject,” Server B should reject the email. However, if the receiving server is misconfigured, these security checks may be bypassed, allowing the email to be delivered and posing a significant security risk.
In a hybrid environment, the Exchange Hybrid Setup wizard typically creates standard inbound and outbound connectors to facilitate data exchange between Exchange Online and on-premises Exchange servers. Nevertheless, misconfigurations can occur, especially if administrators are unaware of the potential risks or fail to lock down their Exchange Online organization to accept mail only from trusted sources.
Inbound connectors play a crucial role in determining how incoming emails are handled by the Exchange server. In hybrid environments, administrators must ensure that the correct connectors are in place and properly configured. This includes creating a Partner connector with specific IP addresses or certificates to ensure that only emails from trusted sources are accepted. Without these safeguards, misconfigured inbound connectors could allow malicious emails to bypass security checks, leading to potential compromises.
When using a third-party MX server, it is essential to configure the Exchange Online instance according to Microsoft’s recommendations. Failure to do so can expose the organization to spoofing attacks, as emails may bypass critical security checks like DMARC, SPF, and DKIM.
For instance, if the tenant recipient domain’s MX record points to a third-party email security solution instead of Microsoft’s, DMARC policies will not be applied. As a result, emails from unverified sources may be delivered, increasing the risk of phishing and spoofing attacks.
To safeguard against email spoofing and related risks, administrators should strengthen their Exchange environment by taking the following key steps:
- Create additional inbound connectors following Microsoft’s guidelines to restrict incoming emails to trusted sources.
- Implement enhanced filtering for connectors to apply additional security checks.
- Deploy Data Loss Prevention (DLP) and transport rules to prevent unauthorized emails and protect sensitive information.
- Conduct regular security audits to ensure that Exchange server configurations align with the latest security practices.
