Detecting Non-RFC Compliant P2 FROM Header in Exchange Server

Microsoft, Microsoft Exchange ServerA vulnerability that allows spoofing attacks againstCVE-2024-49040) closed.

This vulnerability is due to the current implementation of header validation performed during the transport process. The current implementation RFC 5322 Some non-compliant P2 FROM allows header information to pass through, which can cause email clients (for example, Microsoft Outlook) to make a spoofed sender appear as a legitimate sender.

With the November 2024 Security Update (SU), Exchange Server is now able to detect and flag email messages that contain potentially malicious patterns in the P2 FROM Header.

How Does Non-RFC Compliant P2 FROM Header Rule Work in Exchange Server?

Playing Exchange Server You need to install the latest CU/SU available in your environment, To check the version information and general configuration information of your Exchange Server environment Health Check in Exchange Server You can run the script.

Exchange Serveris configured to automatically add the following warning to the body of the email message when it detects a suspicious message:

1 picture
Notice: This email appears to be suspicious. Do not trust the information, links, or attachments in this email without verifying the source through a trusted method. For more information see: https://aka.ms/ProtectYourselfFromPhishing.

Exchange Server, also adds a header to any email message detected by the P2 feature. If you want to perform any action on the emails detected by the feature, Exchange Transport Rule (ETR) Using this you can detect this title and perform a specific action.

In the example below, if the email contains the header Exchange Server is rejected by: X-MS-Exchange-P2FromRegexMatch

New-TransportRule -HeaderContainsMessageHeader "X-MS-Exchange-P2FromRegexMatch" -HeaderContainsWords @("True") -RejectMessageReasonText "Message not accepted due to a non-RFC compliant P2 FROM header" -Name "NonCompliantP2FromDetectionRule" -SenderAddressLocation "Header"

Configuring Non-RFC Compliant P2 FROM Header Rule in Exchange Server

The feature, which comes with the Exchange Server November Security Update, is enabled by default to increase security.

Exchange Server's feature New - Setting Override Although it is possible to disable it using the command, it is strongly recommended that you leave this feature enabled. Disabling the feature makes it easier for malicious actors to conduct phishing attacks against your organization.

How to Disable Non-RFC Compliant P2 FROM Header Rule Disclaimer in Exchange Server

If Exchange Server automatically adds a link to messages detected by the algorithm, Disclaimer If you do not want it to be added, you can only disable the Disclaimer action. This allows you to manage these emails differently using a customized ETR (Transport Rule). You can disable the Disclaimer action using the following commands:

New-SettingOverride -Name "DisableP2FromRegexMatchDisclaimer" -Component "Transport" -Section "NonCompliantSenderSettings" -Parameters @("AddDisclaimerforRegexMatch=false") -Reason "Disabled For Troubleshooting"

Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh

Restart-Service -Name MSExchangeTransport

How to Disable Non-RFC Compliant P2 FROM Header Rule in Exchange Server

With the Exchange Server November SU v2 release, with the default settings, this feature adds a special header (X-MS-Exchange-P2FromRegexMatch) is added. However, you may want to disable this header addition. For example, these changes Exchange Server November 2024 SUv2 update You can disable the custom header-only action using the following commands:

New-SettingOverride -Name "DisableP2FromRegexMatchHeader" -Component "Transport" -Section "NonCompliantSenderSettings" -Parameters @("AddP2FromRegexMatchHeader=false") -Reason "Disabled For Troubleshooting"

Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh

Restart-Service -Name MSExchangeTransport

How to Disable Header and Disclaimer in Non-RFC Compliant P2 FROM in Exchange Server

If you need to disable the feature completely (although it is not recommended), you can turn off both the commit text and custom header insertion with the following commands:

New-SettingOverride -Name "DisableP2FromRegexMatchDisclaimer" -Component "Transport" -Section "NonCompliantSenderSettings" -Parameters @("AddDisclaimerforRegexMatch=false") -Reason "Disabled For Troubleshooting"
New-SettingOverride -Name "DisableP2FromRegexMatchHeader" -Component "Transport" -Section "NonCompliantSenderSettings" -Parameters @("AddP2FromRegexMatchHeader=false") -Reason "Disabled For Troubleshooting"
Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh
Restart-Service -Name MSExchangeTransport

In this writing Exchange Server November Security Update entered our lives with P2 From Header We talked about the rule.

Exchange ServerFor other articles on , you can follow the links below;


Similar Posts – Detecting RFC Non-Compliant P2 FROM Header in Exchange Server

2 thoughts on “Detecting Non-RFC Compliant P2 FROM Header in Exchange Server”

Comment