Reject Direct Send

On June 26, “Bleeping Computer” announced a Microsoft vulnerability that’s being exploited by bad actors. The TLDR is this: In the Exchange Admin Center, enable the “Reject Direct Send” setting, unless you absolutely need it for some sort of legacy printer/scanner. Better yet, upgrade that scanner to support authentication so you can “Reject Direct Send”.

What’s going on

The feature “Direct Send”, according to Bleeping Computer, exists to allow a device on your network to send an email without actually logging into Exchange Server with a valid username and password. Direct Send allows a device to construct an email which appears to be sourced from within your organization, which bypasses the ordinary SPF, DKIM/DMARC features designed to prevent spoofing of emails.

For email servers which allow Direct Send, a bad actor can get an email onto your network (with a malevolent attachment) that will be difficult for end-users to see as suspect, or potentially dangerous.

Bad actor sitting amid several monitors and laptops

What you can do

There are a few things you can do to guard against this exploit. One is to ensure you have SPF, DKIM and DMARC policies correctly set for your domain, including a DMARC policy of “reject” for failed status. As mentioned earlier, disable “Direct Send” by enabling the new setting, “Reject Direct Send” in the Exchange Admin Center. Where people have seen this exploit successful, emails have been sourced from IP addresses outside the country–certainly outside the IP ranges for your company. Consider some filtering or pre-processing which can allow you to restrict valid sources of a Direct Send to only those IP Addresses you control.

Naturally, if you need help with this or other security topics, please feel free to check out our pages on cybersecurity, managed services, backup, or just contact us now. We’ll be happy to chat.

#Algonquin, #Barrington, #BullValley, #Carpentersville, #Cary, #CrystalLake, #DeerPark, #FoxLake, #FoxRiverGrove, #FoxRiverValleyGardens, #HawthornWoods, #Hebron, #HoffmanEstates, #HolidayHills, #Ingleside, #Inverness, #IslandLake, #Johnsburg, #Kildeer, #LakeBarrington, #LakeInTheHills, #LakeZurich, #Lakemoor, #LongGrove, #McCullomLake, #McHenry, #Mundelein, #NorthBarrington, #OakwoodHills, #PortBarrington, #PrairieGrove, #Richmond, #Ringwood, #SolonMills, #SouthBarrington, #SpringGrove, #TowerLakes, #TroutValley, #VillageOfLakewood, #Volo, #Wauconda, #WonderLake, #Woodstock