Microsoft Exchange 'Ghost-Sender' Flaw Allows Widespread Email Spoofing
A vulnerability dubbed 'Ghost-Sender' allows attackers to spoof any email address on Microsoft Exchange Online and hybrid deployments by exploiting misconfigurations in third-party mail servers.
A newly identified vulnerability, named 'Ghost-Sender' by Swiss cybersecurity firm InfoGuard, enables attackers to impersonate any sender within a targeted organization's email system. This exploit affects Microsoft Exchange Online and on-premises Exchange deployments configured in a hybrid mode, particularly when utilizing a third-party mail server or spam filter as the primary mail exchange (MX) record.
The core of the vulnerability lies in how certain Exchange configurations handle incoming emails when an external MX record is in place. By default, Exchange Online may accept emails from any source if an external MX record is configured without additional security measures. This allows attackers to bypass standard email authentication protocols such as SPF, DKIM, and DMARC, rendering them ineffective against this specific attack vector. The result is the delivery of fraudulent emails that appear to originate from legitimate internal or external addresses, complete with sender profile pictures for internal spoofing.
InfoGuard's research highlights that this is not an isolated issue but rather a widespread misconfiguration. The firm estimates that fewer than half of organizations with an external-facing MX record have implemented available mitigations. The potential impact is significant, ranging from sophisticated phishing campaigns and business email compromise (BEC) attacks to the distribution of fake invoices or fraudulent communications that could lead to financial loss or reputational damage.
Exploitation is reportedly straightforward, requiring little more than a simple PowerShell command to initiate the spoofed email. InfoGuard has even developed a testing tool to help organizations identify if their domains are vulnerable. Alarmingly, the firm claims that Microsoft's own configuration analysis tools fail to flag these vulnerabilities, and even enhanced filtering or standard Exchange protection settings do not prevent the spoofing.
Adding to the concern, InfoGuard stated that Microsoft support indicated the issue, or a related one, appears to be actively abused in the wild. The cybersecurity firm reported the vulnerability to Microsoft in April, but it was initially dismissed as a non-MSRC case. Microsoft support later described it as a known architectural limitation, suggesting workarounds like changing the MX record to M365 or adding specific headers, which InfoGuard argues do not fully resolve the underlying issue.
Mitigation strategies for organizations include setting up a partner organization connector that validates incoming emails based on IP address or certificate, or implementing a mail flow rule to quarantine emails lacking the correct X-MS-Exchange-Organization-AuthAs header or originating from unexpected IP addresses. Disabling the Direct Send feature is also recommended as a protective measure against internal spoofing.
InfoGuard's timeline suggests that Microsoft briefly deployed a mitigation but later rolled it back. The difficulty in detecting successful Ghost-Sender attacks after mitigation is also a concern, as attackers could potentially spoof internal mail path information. Organizations are advised to scrutinize email headers for discrepancies in the mail gateway flow as a potential indicator of compromise.
The Ghost-Sender vulnerability underscores the persistent challenges in securing email infrastructure, especially in complex hybrid environments. It highlights the critical need for organizations to regularly audit their configurations and stay informed about evolving threats that exploit seemingly minor architectural details.