{"id":36391,"date":"2024-11-16T00:01:54","date_gmt":"2024-11-15T23:01:54","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=36391"},"modified":"2024-11-14T22:30:24","modified_gmt":"2024-11-14T21:30:24","slug":"exchange-2016-2019-now-warns-against-exploiting-the-spoofing-vulnerability-cve-2024-49040-in-emails","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2024\/11\/16\/exchange-2016-2019-now-warns-against-exploiting-the-spoofing-vulnerability-cve-2024-49040-in-emails\/","title":{"rendered":"Exchange 2016\/2019 now warns against exploiting the spoofing vulnerability CVE-2024-49040 in emails"},"content":{"rendered":"

\"Exchange[German<\/a>]Microsoft's November 2024 security updates for Exchange, has added a new feature to its Exchange 2016 and Exchange 2019 servers. Microsoft Exchange now warns when receiving emails that exploit a spoofing vulnerability (Exchange Server non-RFC compliant P2 FROM header detection CVE-2024-49040). The only problem is that the security updates from November 2024 have currently been stopped.<\/p>\n

<\/p>\n

Non-RFC compliant P2 FROM header detection<\/h2>\n

\"\"In my blog post Microsoft Exchange Server Updates November 12, 2024<\/a>\u00a0I reported on the new features that were rolled out with the security updates for Exchange 2016 and Exchange 2019 servers. A new function was implemented to detect non-RFC 5322-compliant P2-FROM headers in incoming email messages.<\/p>\n

The P2-FROM header in an email is part of the message header that is displayed to the recipient's email client (e.g. Outlook). It is the email address or the name of the sender (if the sender is internal) that is displayed in the \"From\" field when you view an email in your inbox.<\/p>\n

Spoofing vulnerability CVE-2024-49040<\/h3>\n

In November 2024, Microsoft confirmed that the existing spoofing vulnerability CVE-2024-49040<\/a> in Exchange 2016 and Exchange 2019 servers has been closed by security updates.<\/p>\n

Vsevolod Kokorin from Solidlab discovered this vulnerability and reported on it in this article<\/a> in May 2024. The problem is that SMTP servers evaluate the recipient address of emails differently, which enables email spoofing. Our colleagues at Bleeping Computer have discussed these findings here<\/a>.<\/p>\n

Microsoft warns of CVE-2024-49040 spoofing<\/h3>\n

After Microsoft was informed by Solidlab about the spoofing vulnerability CVE-2024-49040<\/a> in Exchange Server, the whole thing was investigated. Microsoft writes that the vulnerability is caused by the current implementation of the P2 FROM header check<\/em>, which takes place during transport. The current implementation allows some non-RFC5322-compliant<\/a> P2 FROM headers to pass. This can result in the email client (e.g. Microsoft Outlook) displaying a forged sender as if it were legitimate.<\/p>\n

As of the Microsoft Exchange Server Updates November 12, 2024<\/a>, Exchange Server can recognize and flag email messages that contain potentially malicious patterns in the P2 FROM header. If a suspicious message is detected by the Exchange Server, the following disclaimer will automatically be prepended to the body of the email message:<\/p>\n

\"Exchange<\/a>
\nClick to zoom<\/a><\/p>\n

The Exchange Server also adds the X-MS-Exchange-P2FromRegexMatch<\/em> header to any email message that is recognized by this feature. Administrators can use an Exchange Transport Rule (ETR) to recognize the header and perform a specific action.<\/p>\n

Microsoft provides an example in the support article<\/a>. Spoofing mail detection is automatically enabled on Exchange Server 2016\/2019 with the November 2024 security update installed. Administrators can deactivate the function using New-SettingOverride<\/a> – the PowerShell commands are also mentioned in the support article.<\/p>\n","protected":false},"excerpt":{"rendered":"

[German]Microsoft's November 2024 security updates for Exchange, has added a new feature to its Exchange 2016 and Exchange 2019 servers. Microsoft Exchange now warns when receiving emails that exploit a spoofing vulnerability (Exchange Server non-RFC compliant P2 FROM header detection … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,1547,22],"tags":[869,2879,69,195],"class_list":["post-36391","post","type-post","status-publish","format-standard","hentry","category-security","category-software","category-update","tag-exchange","tag-patchday-11-2024","tag-security","tag-update"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/36391","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=36391"}],"version-history":[{"count":5,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/36391\/revisions"}],"predecessor-version":[{"id":36402,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/36391\/revisions\/36402"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=36391"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=36391"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=36391"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}