A quick blog on an updated security publication for Exchange Server 2016 and 2019. This publication addresses the following vulnerability:
CVE-2021-1730: Microsoft Exchange Server Spoofing Vulnerability
A spoofing vulnerability exists in Microsoft Exchange Server which could result in an attack that would allow a malicious actor to impersonate the user.
As mentioned in the CVE report, this vulnerability can be mitigated in Exchange 2016 and Exchange 2019 by implementing a separate namespace for inline images. These images are served when using Outlook Web Access. Since I never see customers implementing this option, I will repeat these steps below to bring this to your attention.
First, pick a namespace to serve these images from, e.g. img.mail.contoso.com. Create a CNAME for this entry in the DNS, and point it to your OWA namespace, for example img.mail.contoso.com. Add this namespace to your existing SSL certificate (SAN) unless you are using a wildcard certificate and the chosen namespace is covered by it.
Next, configure the InternalDownloadHostName and ExternalDownloadHostName properties from OWAVirtualDirectory configuration, e.g.
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -ExternalDownloadHostName img.mail.contoso.com -InternalDownloadHostName img.mail.contoso.com
Configure the Exchange organization to use download domains:
Set-OrganizationConfig -EnableDownloadDomains $true
Finally, restart IIS or recycle the OWA application pool using Restart-WebAppPool MSExchangeOWAAppPool.
EighTwOne (821) 
Hi,
does it apply to 2016 CU_19_ too? in the CVEits only 2016 CU18 and 2019 CU7 listed.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1730
should it be a subdomain or must it a subdomain?
The CVE is not very consistent “Download.Mail.Contoso.com” in the DNS entry and “ownloaddomain.contoso.com” in the VDir entrys
LikeLike
Subdomain is not required – as long as its on the certificate and resolves. Typos happen everywhere 🙂
LikeLike
I am in process to install the May Security update https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-may-11-2021-kb5003435-028bd051-b2f1-4310-8f35-c41c9ce5a2f1
do I still need to add the DNS record as you mentioned.
LikeLike
Wording in these documents can puzzling. it states vulnerability CVE-2021-1730 has been addressed in KB4571787/8, i.e. 2019CU7 & 2016CU18 (and later). Per these CUs, the EnableDownloadDomains feature was added, which is a recommendation, making it complementary and limiting for future spoofing issues this area.
LikeLike
Thanks for addressing this as there is very little content out there about it. I didnt even notice I needed it until I ran the HealthChecker PowerShell script. At the very end the output reads as follows:
Download Domains Enabled: False; Download Domains are not configured. You should configure them to be protected against CVE-2021-1730. Configuration instructions: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1730”
I’m still quite confused about why this is needed. Is there a way to test for the exploit (in other words, test that the issue has not been mitigated?)?
LikeLike
Not disclosed, and not aware of any public PoC for CVE2021-1730
LikeLike
Intern everything works. Extern I got error code 404 if i use Subdomain with CNAME. If I use Subdomain, A-Entry, DMZ, Reverse Proxy I got error 302. Pictures are not shown in OWA. Any idea?
LikeLike
have you already found a solution?
LikeLike
Did you manage to solve this? Having similar issue with WAF in front of CAS server…
LikeLike
Does this need to be actioned if all the mailboxes are now hosted in EXO?
LikeLike
It is regarded best practice. However, since your users won’t be accessing OWA/ECP, I don’t see value.
LikeLike