[German]Microsoft's November 2024 security updates for Exchange, has added a new feature to its Exchange 2016 and Exchange 2019 servers. Microsoft Exchange now warns when receiving emails that exploit a spoofing vulnerability (Exchange Server non-RFC compliant P2 FROM header detection CVE-2024-49040). The only problem is that the security updates from November 2024 have currently been stopped.
Advertising
Non-RFC compliant P2 FROM header detection
In my blog post Microsoft Exchange Server Updates November 12, 2024 I reported on the new features that were rolled out with the security updates for Exchange 2016 and Exchange 2019 servers. A new function was implemented to detect non-RFC 5322-compliant P2-FROM headers in incoming email messages.
The P2-FROM header in an email is part of the message header that is displayed to the recipient's email client (e.g. Outlook). It is the email address or the name of the sender (if the sender is internal) that is displayed in the "From" field when you view an email in your inbox.
Spoofing vulnerability CVE-2024-49040
In November 2024, Microsoft confirmed that the existing spoofing vulnerability CVE-2024-49040 in Exchange 2016 and Exchange 2019 servers has been closed by security updates.
Vsevolod Kokorin from Solidlab discovered this vulnerability and reported on it in this article in May 2024. The problem is that SMTP servers evaluate the recipient address of emails differently, which enables email spoofing. Our colleagues at Bleeping Computer have discussed these findings here.
Microsoft warns of CVE-2024-49040 spoofing
After Microsoft was informed by Solidlab about the spoofing vulnerability CVE-2024-49040 in Exchange Server, the whole thing was investigated. Microsoft writes that the vulnerability is caused by the current implementation of the P2 FROM header check, which takes place during transport. The current implementation allows some non-RFC5322-compliant P2 FROM headers to pass. This can result in the email client (e.g. Microsoft Outlook) displaying a forged sender as if it were legitimate.
Advertising
As of the Microsoft Exchange Server Updates November 12, 2024, Exchange Server can recognize and flag email messages that contain potentially malicious patterns in the P2 FROM header. If a suspicious message is detected by the Exchange Server, the following disclaimer will automatically be prepended to the body of the email message:
The Exchange Server also adds the X-MS-Exchange-P2FromRegexMatch header to any email message that is recognized by this feature. Administrators can use an Exchange Transport Rule (ETR) to recognize the header and perform a specific action.
Microsoft provides an example in the support article. Spoofing mail detection is automatically enabled on Exchange Server 2016/2019 with the November 2024 security update installed. Administrators can deactivate the function using New-SettingOverride – the PowerShell commands are also mentioned in the support article.
Advertising
