A new report from the Acronis Threat Research Unit has discovered a vulnerability in Microsoft Exchange Online configuration that could allow email spoofing attacks.
This issue primarily affects users with a hybrid setup of on-premises Exchange and Exchange Online, and those using third-party email security solutions.
In July 2023, Microsoft introduced a major change to the way it handles DMARC (Domain-based Message Authentication, Reporting, and Conformance) within Microsoft Exchange. This update aimed to strengthen security by improving the way email servers verify the legitimacy of incoming emails. Unfortunately, despite clear instructions from Microsoft, a considerable number of users have not yet implemented these security measures, leaving their systems vulnerable to various cyber threats, particularly email spoofing.
How misconfiguration creates vulnerabilities
Microsoft Exchange Online can be used as a mail server without the need for on-premises Exchange servers or third-party anti-spam solutions. However, vulnerabilities arise when Exchange Online is used in hybrid environments (where on-premises Exchange servers communicate with Exchange Online through connectors) or when a third-party MX server is involved.
Email Email remains a key target for cybercriminals, which is why it is essential to have strong security protocols in place to protect against spoofing. Three critical protocols have been developed for this purpose: Sender Policy Framework (SPF) verifies whether a mail server is authorized to send email on behalf of a domain using DNS records; DomainKeys Identified Mail (DKIM) allows emails to be digitally signed, verifying that they originate from an authorized server and confirming the authenticity of the sender’s domain; and Domain-based Message Authentication, Reporting, and Conformance (DMARC) determines how emails that fail SPF or DKIM checks should be handled, specifying actions such as rejection or quarantine to improve email security.
To understand how email security protocols work together, consider a typical email flow: Server A initiates a DNS request to locate the Mail Exchange (MX) server for the recipient domain (e.g., ourcompany.com), then sends an email from “[email protected]” to “[email protected]” via one of the MX servers (Server B). Server B then verifies the email by checking whether it originates from an authoritative server (SPF verification), ensuring the presence of a valid DKIM signature, and following the actions specified by the domain’s DMARC policy. If Server A is not included in the SPF records, lacks a valid DKIM signature, or if the DMARC policy is set to “Reject,” Server B should reject the email. However, if the receiving server is misconfigured, these security checks can be bypassed, allowing the email to be delivered and posing a significant security risk.
In a hybrid environment, the Exchange Hybrid Configuration wizard typically creates standard inbound and outbound connectors to facilitate data exchange between Exchange Online and on-premises Exchange servers. However, configuration errors can occur, especially if administrators are unaware of potential risks or fail to lock down their Exchange Online organization to accept mail only from trusted sources.
Inbound connectors play a critical role in determining how the Exchange server handles incoming emails. In hybrid environments, administrators must ensure that the correct connectors are installed and configured correctly. This includes creating a partner connector with specific IP addresses or certificates to ensure that only emails from trusted sources are accepted. Without these safeguards, misconfigured inbound connectors could allow malicious emails to bypass security controls, leading to potential attacks.
When using a third-party MX server, it is essential to configure the Exchange Online instance according to Microsoft RecommendationsFailure to do so can leave your organization vulnerable to phishing attacks as emails can bypass critical security controls such as DMARC, SPF, and DKIM.
For example, if the MX record for the tenant's recipient domain points to a third-party email security solution instead of Microsoft's, DMARC policies will not be enforced. As a result, emails from unverified sources may be delivered, increasing the risk of spoofing and phishing attacks.
To protect against email spoofing and related risks, administrators should harden their Exchange environment by taking the following key steps:
- Create additional inbound connectors following Microsoft guidelines to restrict incoming emails to trusted sources.
- Implement enhanced filtering for connectors to enforce additional security controls.
- Implement data loss prevention (DLP) and transport rules to prevent unauthorized emails and protect sensitive information.
- Perform regular security audits to ensure that Exchange server configurations align with the latest security practices.
