Misconfigurations in Microsoft Exchange open new doors to email spoofing attacks — here’s how it works

Microsoft Exchange on laptop
(Image credit: monticello / Shutterstock.com)

A new report from the Acronis Threat Research Unit has uncovered a vulnerability in Microsoft Exchange Online settings that could enable email spoofing attacks.

This issue primarily affects users with a hybrid configuration of on-premises Exchange and Exchange Online, and those utilizing third-party email security solutions.

In July 2023, Microsoft introduced a major change in how it handles DMARC (Domain-based Message Authentication, Reporting, and Conformance) within Microsoft Exchange. This update was intended to bolster security by enhancing how email servers verify incoming emails' legitimacy. Unfortunately, despite clear guidance from Microsoft, a considerable number of users have yet to implement these security measures, leaving their systems vulnerable to various cyber threats, particularly email spoofing.

How misconfiguration leads to vulnerabilities

An email secured with a padlock

(Image credit: Shutterstock)

Microsoft Exchange Online can be used as a mail server without the need for on-premises Exchange servers or third-party anti-spam solutions. However, vulnerabilities arise when Exchange Online is used in hybrid environments - where on-premises Exchange servers communicate with Exchange Online via connectors - or when a third-party MX server is involved.

Email remains a key target for cybercriminals, and this is why robust security protocols are essential to protect against spoofing. Three critical protocols have been developed for this purpose: Sender Policy Framework (SPF) checks whether a mail server is authorized to send email on behalf of a domain using DNS records; DomainKeys Identified Mail (DKIM) allows emails to be digitally signed, verifying that they originate from an authorized server and confirming the sender's domain authenticity; and Domain-based Message Authentication, Reporting, and Conformance (DMARC) determines how emails that fail SPF or DKIM checks should be handled, specifying actions like rejection or quarantine to enhance email security.

To understand how email security protocols work together, consider a typical email flow: Server A initiates a DNS request to locate the Mail Exchange (MX) server of the recipient's domain (e.g., ourcompany.com), then sends an email from "user@company.com" to "user2@ourcompany.com" via one of the MX servers (Server B). Server B then verifies the email by checking if it originates from an authorized server (SPF verification), ensuring the presence of a valid DKIM signature, and following the actions specified by the domain's DMARC policy. If Server A is not listed in the SPF records, lacks a valid DKIM signature, or if the DMARC policy is set to "Reject," Server B should reject the email. However, if the receiving server is misconfigured, these security checks may be bypassed, allowing the email to be delivered and posing a significant security risk.

In a hybrid environment, the Exchange Hybrid Setup wizard typically creates standard inbound and outbound connectors to facilitate data exchange between Exchange Online and on-premises Exchange servers. Nevertheless, misconfigurations can occur, especially if administrators are unaware of the potential risks or fail to lock down their Exchange Online organization to accept mail only from trusted sources.

Inbound connectors play a crucial role in determining how incoming emails are handled by the Exchange server. In hybrid environments, administrators must ensure that the correct connectors are in place and properly configured. This includes creating a Partner connector with specific IP addresses or certificates to ensure that only emails from trusted sources are accepted. Without these safeguards, misconfigured inbound connectors could allow malicious emails to bypass security checks, leading to potential compromises.

When using a third-party MX server, it is essential to configure the Exchange Online instance according to Microsoft's recommendations. Failure to do so can expose the organization to spoofing attacks, as emails may bypass critical security checks like DMARC, SPF, and DKIM.

For instance, if the tenant recipient domain's MX record points to a third-party email security solution instead of Microsoft's, DMARC policies will not be applied. As a result, emails from unverified sources may be delivered, increasing the risk of phishing and spoofing attacks.

To safeguard against email spoofing and related risks, administrators should strengthen their Exchange environment by taking the following key steps:

  • Create additional inbound connectors following Microsoft's guidelines to restrict incoming emails to trusted sources.
  • Implement enhanced filtering for connectors to apply additional security checks.
  • Deploy Data Loss Prevention (DLP) and transport rules to prevent unauthorized emails and protect sensitive information.
  • Conduct regular security audits to ensure that Exchange server configurations align with the latest security practices.

More from TechRadar Pro

Efosa Udinmwen
Freelance Journalist

Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a PhD in sciences, which provided him with a solid foundation in analytical thinking. Efosa developed a keen interest in technology policy, specifically exploring the intersection of privacy, security, and politics. His research delves into how technological advancements influence regulatory frameworks and societal norms, particularly concerning data protection and cybersecurity. Upon joining TechRadar Pro, in addition to privacy and technology policy, he is also focused on B2B security products. Efosa can be contacted at this email: udinmwenefosa@gmail.com