Microsoft Exchange Flaw 'Ghost-Sender' Enables Email Spoofing

A vulnerability dubbed 'Ghost-Sender' has been discovered in Microsoft Exchange that permits attackers to spoof any email address. The flaw impacts both Exchange Online and on-premises instances operating in hybrid mode with a third-party mail server or spam filter.

According to Dark Reading, the exploit leverages weaknesses in how Exchange handles email authentication in these hybrid configurations. While no CVE identifier has been publicly assigned yet, the attack vector is considered active and potentially severe, as it bypasses common email security measures like SPF, DKIM, and DMARC.

Technical analysis reveals that Ghost-Sender works by intercepting or manipulating the email routing between Exchange and third-party mail systems. Attackers can craft messages that appear to originate from any domain, including trusted organizations or high-profile individuals, making them highly effective for phishing and business email compromise campaigns.

Microsoft has not yet issued an official patch or advisory for this specific flaw. Organizations using Exchange in hybrid mode with third-party mail filters are urged to review their email security configurations, implement strict sender authentication policies, and monitor for unusual message routing patterns as interim mitigations.

The discovery highlights ongoing challenges in securing hybrid email environments where disparate systems interact. Security researchers have not attributed Ghost-Sender to any specific threat group, but its potential for widespread abuse underscores the need for vendors to address cross-platform authentication gaps.