Exchange Online and the “ghost senders”: Five tips you should implement right now

Exchange Online and the “ghost senders”: Five tips you should implement right now

Security alerts related to Microsoft 365 and Exchange Online have skyrocketed recently. In fact, email security is becoming increasingly complex. As established experts in email security and business-critical communications infrastructure, Retarus has summarized and analyzed the key details fueling Microsoft’s latest headline-grabbing issue for you.

For the past few days, news reports addressing the topic of ghost senders have been sparking debate among email administrators and decision-makers. Ever since the reports first emerged, we at Retarus have also remained in close contact with our customers as the topic has unfolded.

How should you respond

In light of the ongoing discussion, we would like to give you and your administrators a few pointers to help you systematically review your email flow and current configuration using upstream security gateways. After all, the ghost sender scenario yet again underscores the fact that keeping email infrastructures secure not only hinges on individual measures or deployment models, but also crucially depends on their proper technical implementation.

1. Check your vulnerability to direct delivery

We advise you to immediately check whether your environment is generally vulnerable to the delivery of messages directly to the tenant, bypassing the intended pathway via your security gateway. Specifically testing this – for instance, using a dedicated testing tool such as that provided by ghost-sender.com – provides a quick initial assessment. If the test reveals that your Exchange Online mailboxes are accessible from outside the network via a “ghost sender”, we recommend taking the steps outlined below.

2. Define the intended delivery path unambiguously

A key factor is the intended delivery path. Technically, incoming emails should be routed exclusively via the upstream Secure Email Gateway. In practice, this means that the Mail Exchange (MX) record needs to be configured to first route incoming emails through the gateway rather than directly through Exchange Online. At the same time, a corresponding Inbound Partner Connector must be set up in Exchange Online to precisely reflect this delivery path.

3. Configure the inbound connector restrictively

Another crucial step is to configure the connector to be as restrictive as possible. It is essential that only source IP addresses authorized by the gateway be permitted. This prevents incoming connections which do not follow the defined path being treated as legitimate messages. In addition, it may be advisable to further safeguard the email flow using Transport Layer Security (TLS) or appropriate TLS domain or certificate validation.

4. Prevent direct SMTP delivery to Exchange Online

Direct deliveries to Exchange Online outside the authorized gateway path should be blocked without exception. Whether this is best implemented through transportation rules or other restrictions depends on the specific environment. It is also essential that once the technical adjustments have been made, the configuration should not only appear flawless, but also be tested in practice to ensure that direct-to-tenant and spoofing scenarios have actually been blocked successfully.

5. Check sender authentication regularly

Not only in response to this issue, you should regularly review your basic security mechanisms with regard to the sender policy framework (SPF), domain keys identified mail (DKIM), and domain-based message authentication, reporting, and conformance (DMARC). A properly implemented and eventually more restrictive DMARC policy generally plays a valuable role in effectively reducing unwanted email flows and spoofing risks. At Retarus, we consider these mechanisms an integral part of a robust email security strategy.

Consistently securing the path your incoming emails take and preventing them from bypassing your safeguards can significantly reduce the risk of spoofing and deceitful messages. As a partner that focuses on precisely these challenges, Retarus helps companies implement comprehensive email security. Do you need practical support in making the risks in your email flow visible? Please feel free to contact our experts.

Tags:

Submit a Comment

Your email address will not be published. Required fields are marked *