Exchange Server non-RFC compliant P2 FROM header detection
Overview
Microsoft is aware of a vulnerability (CVE-2024-49040) that allows attackers to run spoofing attacks against Microsoft Exchange Server. The vulnerability is caused by the current implementation of the P2 FROM
header verification, which happens in transport. The current implementation allows some non-RFC 5322 compliant P2 FROM headers to pass which can lead to the email client (for example, Microsoft Outlook) displaying a forged sender as if it were legitimate.
Starting with the Exchange Server November 2024 Security Update (SU), Exchange Server can detect and flag email messages that contain potentially malicious patterns in the P2 FROM header.
How does it work
In case that Exchange Server detects a suspicious message, it automatically prepends the following disclaimer to the body of the email message:
Exchange Server also adds the X-MS-Exchange-P2FromRegexMatch
header to any email message detected by this feature. If you want to take any action on emails detected by the feature, you can use an Exchange Transport Rule (ETR) to detect the header and execute a specific action. In this example, Exchange Server rejects the email if it contains the header:
New-TransportRule -HeaderContainsMessageHeader "X-MS-Exchange-P2FromRegexMatch" -HeaderContainsWords @("True") -RejectMessageReasonText "Message not accepted due to a non-RFC compliant P2 FROM header" -Name "NonCompliantP2FromDetectionRule" -SenderAddressLocation "Header"
More information about mail flow rules can be found in the Mail flow rules in Exchange Server documentation.
Configuration
The new behavior is enabled by default as part of our secure by default approach. Although it's possible to control the feature using New-SettingOverride. This section explains how the feature can be controlled. Make sure to run the following commands from an elevated Exchange Management Shell (EMS).
If you prefer not to have Exchange automatically prepend a disclaimer to messages detected by the feature, you can disable the disclaimer action while keeping the custom header action enabled. This allows you to detect these emails using an ETR and handle them differently, such as by prepending a disclaimer of your choice. The following commands disable the disclaimer action:
New-SettingOverride -Name "DisableP2FromRegexMatchDisclaimer" -Component "Transport" -Section "NonCompliantSenderSettings" -Parameters @("AddDisclaimerforRegexMatch=false") -Reason "Disabled For Troubleshooting"
Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh
Restart-Service -Name MSExchangeTransport
If you prefer not to have Exchange automatically add the X-MS-Exchange-P2FromRegexMatch
header to emails detected by this feature, you can disable the header action while keeping the disclaimer action enabled. This setting override was introduced with the Exchange Server November 2024 SUv2 update. Use the following commands to disable the custom header action:
New-SettingOverride -Name "DisableP2FromRegexMatchHeader" -Component "Transport" -Section "NonCompliantSenderSettings" -Parameters @("AddP2FromRegexMatchHeader=false") -Reason "Disabled For Troubleshooting"
Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh
Restart-Service -Name MSExchangeTransport
We strongly recommend you leave the feature enabled, as disabling the feature makes it easier for bad actors to run phishing attacks against your organization. If you want to disable the feature at all, use the following commands to disable the disclaimer and the custom header action:
New-SettingOverride -Name "DisableP2FromRegexMatchDisclaimer" -Component "Transport" -Section "NonCompliantSenderSettings" -Parameters @("AddDisclaimerforRegexMatch=false") -Reason "Disabled For Troubleshooting"
New-SettingOverride -Name "DisableP2FromRegexMatchHeader" -Component "Transport" -Section "NonCompliantSenderSettings" -Parameters @("AddP2FromRegexMatchHeader=false") -Reason "Disabled For Troubleshooting"
Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh
Restart-Service -Name MSExchangeTransport