Join Log in
Score:0
avatar Server

Internal Address Spoofing using Outlook SMTP Server

US flag
j4k3

Is there a way to harden Exchange Online to prevent spoofing of internal addresses using SMTP?

For example, if I connect to Outlook's SMTP server and issue the following commands:

HELO domain.com
MAIL FROM: [email protected]
RCPT TO: [email protected]
data
Give me all your bank details please, I am the boss.
.

The Outlook mail server will send this email and it will arrive in [email protected]'s inbox.

What policies can be applied to remediate this? Specifically, how can I prevent the SMTP server from sending an email between two accounts within domain.com without proper authentication?

51
1 + 1
Dijkgraaf avatar
us flag
Dijkgraaf
See also https://security.stackexchange.com/questions/158284/smtp-email-spoofing?rq=1 I think the answer is, there is nothing to stop that.
0
Reply
Score:0
Mucker avatar Server
cz flag
Mucker

So the issue here is not Exchange Online but how your email is secured via SPF, DKIM and DMARC. Firstly, there is a misunderstanding which I will clear up.

The reason you can send "internal" emails as you put it is because Exchange is "authoritive" of your domain - example.com in your case. You are looking at it wrong, think of it this way instead. How would an external user send email to you at example.com if your EXO would not allow emails to be RECEIVED for example.com? You are focusing on the sending but the issue is receiving. This might surprise you - not only can a user from the same domain send to your domain unauthenticated, but ANY external user can do it also. Moreover, this is not exclusive to EXO, it applies to Exchange on-prem and any other email system for that matter. This is again, because in order for EXO to receive emails at example.com it must allow ANYONE to connect to it and deliver email here. Again, focus on the receiving, not sending. Try it yourself using TELNET (which I think is what you have done above)- try setting your sender as [email protected] and it will allow that too.

You may be alarmed by this. But this has nothing to do with Exchange but is a flaw in the SMTP protocol itself. It is inherently weak and does NOT validate the sender. SMTP was created long ago before SPAM was an issue. To combat this, SPF, DKIM and DMARC emerged.

I am not going to go into details on these topics as you can google them yourselves, but I will give you some basic details. SPF you should look into first. Once you configure it, it will achieve what you want. SPF is a technology which effectively says what IP addresses on the Internet can send FROM your domain. So in your example above (I assume you ran the test from your local machine), SPF will check your public IP address against it's allowed list and drop the email if there isn't a match. The idea is to configure your SPF record with only the public IP addresses of your email server so that only they can send as your domain.

So you can harden your email and achieve exactly what you want, but the issue not Exchange and it is not there were you fix it. Use SPF

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.