Microsoft has disclosed a high-severity Trade Server vulnerability that permits attackers to forge authentic senders on incoming emails and make malicious messages much more efficient.
The security flaw (CVE-2024-49040) impacts Trade Server 2016 and 2019, and was found by Solidlab security researcher Vsevolod Kokorin, who reported it to Microsoft earlier this 12 months.
“The issue is that SMTP servers parse the recipient handle in a different way, which results in e mail spoofing,” Kokorin mentioned in a Might report.
“One other situation I found is that some e mail suppliers enable using the symbols < and > in group names, which doesn’t adjust to RFC requirements.”
“Throughout my analysis, I didn’t discover a single mail supplier that appropriately parses the ‘From’ discipline in accordance with RFC requirements,” he added.
Microsoft additionally warned right this moment that the flaw may very well be utilized in spoofing assaults focusing on Trade servers and launched a number of updates throughout this month’s Patch Tuesday so as to add exploitation detection and warnings banners.
“The vulnerability is brought on by the present implementation of the P2 FROM header verification, which occurs in transport,” Microsoft defined.
“The present implementation permits some non-RFC 5322 compliant P2 FROM headers to cross which may result in the e-mail shopper (for instance, Microsoft Outlook) displaying a solid sender as if it have been authentic.”
Trade servers now warn of exploitation
Whereas Microsoft has not patched the vulnerability and can settle for emails with these malformed headers, the corporate says Trade servers will now detect and prepend a warning to malicious emails after putting in the Trade Server November 2024 Safety Replace (SU).
CVE-2024-49040 exploitation detection and e mail warnings shall be enabled by default on all methods the place admins allow safe by default settings.
Up-to-date Trade servers will even add a warning to the physique of any emails it detects as having a solid sender and an X-MS-Trade-P2FromRegexMatch header to permit admins to reject phishing emails trying to use this flaw utilizing customized mail stream guidelines.
“Discover: This e mail seems to be suspicious. Don’t belief the data, hyperlinks, or attachments on this e mail with out verifying the supply by a trusted methodology,” the warning reads.
Whereas not suggested, the corporate gives the next PowerShell command for individuals who nonetheless wish to disable this new security characteristic (run it from an elevated Trade Administration Shell):
New-SettingOverride -Title "DisableNonCompliantP2FromProtection" -Part "Transport" -Part "NonCompliantSenderSettings" -Parameters @("AddDisclaimerforRegexMatch=false") -Purpose "Disabled For Troubleshooting"
Get-ExchangeDiagnosticInfo -Course of Microsoft.Trade.Listing.TopologyService -Part VariantConfiguration -Argument Refresh
“Though it is attainable to disable the characteristic utilizing New-SettingOverride, we strongly advocate you permit the characteristic enabled, as disabling the characteristic makes it simpler for unhealthy actors to run phishing assaults towards your group,” Redmond warned.
