Microsoft has disclosed a high-severity Change Server vulnerability that enables attackers to forge official senders on incoming emails and make malicious messages much more efficient.
The safety flaw (CVE-2024-49040) impacts Change Server 2016 and 2019, and was found by Solidlab safety researcher Vsevolod Kokorin, who reported it to Microsoft earlier this yr.
“The issue is that SMTP servers parse the recipient handle in another way, which ends up in electronic mail spoofing,” Kokorin stated in a Could report.
“One other challenge I found is that some electronic mail suppliers permit using the symbols < and > in group names, which doesn’t adjust to RFC requirements.”
“Throughout my analysis, I didn’t discover a single mail supplier that appropriately parses the ‘From’ discipline in line with RFC requirements,” he added.
Microsoft additionally warned right this moment that the flaw could possibly be utilized in spoofing assaults focusing on Change servers and launched a number of updates throughout this month’s Patch Tuesday so as to add exploitation detection and warnings banners.
“The vulnerability is attributable to the present implementation of the P2 FROM header verification, which occurs in transport,” Microsoft defined.
“The present implementation permits some non-RFC 5322 compliant P2 FROM headers to cross which may result in the e-mail consumer (for instance, Microsoft Outlook) displaying a cast sender as if it have been official.”
Change servers now warn of exploitation
Whereas Microsoft has not patched the vulnerability and can settle for emails with these malformed headers, the corporate says Change servers will now detect and prepend a warning to malicious emails after putting in the Change Server November 2024 Safety Replace (SU).
CVE-2024-49040 exploitation detection and electronic mail warnings can be enabled by default on all methods the place admins allow safe by default settings.
Up-to-date Change servers may even add a warning to the physique of any emails it detects as having a cast sender and an X-MS-Change-P2FromRegexMatch header to permit admins to reject phishing emails trying to take advantage of this flaw utilizing customized mail stream guidelines.
“Discover: This electronic mail seems to be suspicious. Don’t belief the data, hyperlinks, or attachments on this electronic mail with out verifying the supply by means of a trusted methodology,” the warning reads.
Whereas not suggested, the corporate gives the next PowerShell command for individuals who nonetheless wish to disable this new safety characteristic (run it from an elevated Change Administration Shell):
New-SettingOverride -Identify "DisableNonCompliantP2FromProtection" -Part "Transport" -Part "NonCompliantSenderSettings" -Parameters @("AddDisclaimerforRegexMatch=false") -Cause "Disabled For Troubleshooting"
Get-ExchangeDiagnosticInfo -Course of Microsoft.Change.Listing.TopologyService -Part VariantConfiguration -Argument Refresh“Though it is doable to disable the characteristic utilizing New-SettingOverride, we strongly suggest you allow the characteristic enabled, as disabling the characteristic makes it simpler for unhealthy actors to run phishing assaults in opposition to your group,” Redmond warned.