More detailed information can be found at the original blog post here, which also mentions some known issues and workarounds which you might encounter after deploying these updates.
Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU9 to Exchange 2019 CU8. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU9-KB5003435-x64-en.msp.
Also, run the Security Update from an elevated command prompt, to prevent issues during installation (other words: Do not just double-click on the .MSP file). And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach. The rating implies a form of urgency.
Two years ago, I posted a blog on how to implement Transport Rules in Microsoft Exchange to flag messages originating from outside the organization. Goal is to aid end users in identifying messages originating from outside of the organization, by displaying tags in the subject or body part of received messages. This to make them aware – and hopefully more cautious – when it comes to clicking links or opening attachments. Downside of this method is that every inbound message gets a bit cluttered in their subject or body with tags and notifications, which becomes more evident when replying back and forth to external messages. Back then, I already stated a sort of MailTip would be a more preferable and elegant solution.
Onward to 2021, where tagging of external messages became a generally available feature in March for Exchange Online (MC243047, announcement), when used together with Outlook for Web Access (OWA), Outlook for Mac, Outlook Mobile. Outlook for Desktop will also receive support for the feature (supported per version 2105 build 14026.20000, InsiderFast currently). To start adopting this tagging mechanism for new messages, organizations need to deploy an organization level setting using Set-ExternalInOutlook, e.g.
This will enable the tagging of external messages in your tenant, except for domains or e-mail addresses which have been specified through the AllowList. In the example above, messages from contoso.com senders will bypass tagging. The AllowList is limited to 30 entries or 1 kB, whichever comes first. You can reconfigure the AllowList through the hashtable method, e.g.
After configuring Set-ExternalInOutlook, tagging is not immediate and can take a short while to become active. To inspect current settings, run Get-ExternalInOutlook.
How tagged mail is presented depends on the client. For example, Outlook for Web Access displays an ‘External’ label in the message list, as well as a MailTip at the top of the e-mail contents:
Same goes for Outlook Mobile, where the message list as well as the message view will show an indicator:
Outlook for Desktop However, Outlook for Desktop does not present a label in the message list, nor exposes a field to filter those external messages, only displaying a MailTip after opening the message:
So, people almost started asking right away if it was not possible to expose External information in the message list. Well, with a little help of “Oldskool” Outlook and forms customization, this is possible, and here is how:
First, we need information related to the MAPI attribute. As the field is not by default available in Outlook, we need to know some of its properties to define it later on. As mention in some of the documents, or Glen Scales’ article on how to identify messages using Graph or Exchange Web Services, the MAPI property tag is 41F28F13-83F4-4114-A584-EEDB5A6B0BFF and its name is IsExternalSender.
Next, we need to construct a .CFG file where we will define the property we want to expose. I’ve already done this part for you, and you can download IsExternalSender.cfg from GitHub. Also download the two .ico files and put them in the same folder as the .cfg file. Note that those .ico files only represent the form. Alternatively, you can copy the .cfg file to your Personal Forms Library folder and skip installing, but this way the instruction is a bit simpler, allows you to pick the Folder Forms Library and will skip the elevated access dialog as the Personal Forms Library is a protected folder.
Open Outlook, go to File > Options > Advanced and click the Custom Forms button. There, click Manage Forms. By default, the form is installed in your Personal Folder Library. You can also pick a mailbox to store the form, allowing it to roam together with the view changes we will perform later. Click Install and pick the prepared .cfg file you downloaded from GitHub, and the following dialog should be shown:
Click OK to confirm you want to load the information in the form file in your personal forms library and close the Forms Manager. Going back to the Outlook navigation view, you can now add an IsExternalSender field to the message list. Right-click the field header and select Field Chooser. In the drop-down list, select Forms.., and add External Tagging Form to the Selected Forms. Field Chooser should now display an available field named IsExternalSender, which you can add to your current view using drag & drop.
Note that the .cfg defines the IsExternalSender as Boolean and showing it as an Icon. This means that for External messages, the column IsExternalSender will contain a checkbox:
When you want, you can create custom fields to adjust how the information is presented. For example, you can create a custom field using a formula to display [EXTERNAL] for IsExternalSender messages, which might be more usable in certain views instead of the checkbox. To accomplish this, select New in Field Chooser,and create a field named ExternalTag, type Formula and enter the following formula:
iif([IsExternalSender]=-1,"[EXTERNAL]","")
You can then add the ExternalTag field to Compact View. Do note the text takes up a row in Compact view, thus might replace sender or the subject depending on layout and field order.
On a final note, when wanted you can filter, sort or create Search Folders using the new IsExternalSender field.
Exchange On-Premises Organizations running Exchange Hybrid, routing inbound messages through Exchange Online, are not able to benefit from external e-mail tagging. IsSenderExternal is only stamped on messages destined for mailboxes in Exchange Online. These organizations have therefor no way to identify these messages landing in their Exchange on-premises environment, and may require them to deploy the less elegant Transport Rules solution regardless.
15Apr2021: Added note about Pwn2Own vulnerabilities not being addressed by these updates.
A quick blog on April’s security updates for Exchange Server 2013 up to 2019. Details regarding these vulnerabilities are confidential, but organizations are recommended to install these updates based on their rating. With patching procedures still fresh in everyone’s memory, and every Exchange on-premises server being current after the Hafnium issues, that should not be a problem, right?
The fixes address the following Remote Code Execution vulnerabilities:
More detailed information can be found at the original blog post here. Note that the recently discovered at the Pwn2Own 2021 contest are not (yet) addressed by these updates, according to this blog by the contest organizers.
The exploit can be fixed by single security update, which you can find below.
Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU20 to Exchange 2016 CU19. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU9-KB5001779-x64-en.msp.
Also, run the Security Update from an elevated command prompt, to prevent issues during installation (other words: Do not just double-click on the .MSP file). And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach. The rating implies a form of urgency.
Another month, another set of security updates for Exchange Server 2016 and 2019, including out-of-band updates for Exchange 2013 CU23 and Exchange 2010 SP3 (Rollup 32). Given the risk of this vulnerability, security updates for older out-of-support CUs (Ex2016 CU8 was released December 2017) were also made available. According to the related Exchange team blog, these exploits are seen being used as part of an attack chain. After publication of this vulnerability named Hafnium, proof of concept kits were published after which variations started to appear (e.g. DearCry). Needless to say, the security update is critical and deployment should not be postponed – intermediate mitigations (with consequences) are also available.
These fixes address the following Remote Code Execution vulnerabilities:
The exploit can be fixed by security update, or in case of Exchange 2010 SP3 by applying a Rollup, which you can find in the table below per current Exchange version. Microsoft published security updates for older CUs as well on March 8th; these have been added to the table below.
You may not be prompted for a reboot, but one is required.
When manually installing the update use an elevated command prompt, don’t just double-click the .msp. To apply an .msp from an elevated prompt, e.g. msiexec.exe /p <Full Path to File>.
When you need to update to a more current Cumulative Update first, update using an elevated command prompt, e.g. setup.exe /m:upgrade /IAcceptExchangeServerLicenseTerms
Per product group feedback, Exchange 2010 is not vulnerable to the same attack chain as Exchange 2013/2016/2019, hence the Rollup mentioning a single CVE.
When running product levels earlier than the ones patched, i.e. Exchange 2016 CU17, you are at risk. There are no patches for earlier product levels, so you need to update to a recent CU after which you can install the security update.
When installing a recent CU first in order to be able to install the security update, reboot after installing the CU, then install the security update. This prevents issues caused by files being locked or updating files pending replacement during reboot.
When you are significantly behind regarding keeping your Exchange servers up to date, the blog Upgrade Paths for CU’s and .NET might help in determining an update strategy.
The statement to stay up to date with at most CU n-1 is not some random adage; apart from features and fixes, it also allows you to quickly respond to these type of emergencies.
Make sure you have configured proper Anti-Virus/Malware exclusions for Exchange server, as documented here for Exchange 2016/2019. I’ve seen significant delays or even hangs during setup of Cumulative Updates because of paths and processes not being excluded. When running Exchange virtually, any I/O inspection running on top of your hypervisor is also considered anti-virus/malware software, such as Trend Micro Deep Inspection on VMWare.
When deploying CU(n) on top of CU(n-1) when an interim update already has been installed, it is recommended to uninstall the IU prior to deploying CU(n). While it might go through, an abort is likely with mention of detecting an IU (INTERIMUPDATEDETECTED) in Exchange Setup log.
Security Updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU18 to Exchange 2016 CU19. Note that the security update file has the same name for different Cumulative Updates; I would suggest tagging the file name with the CU level, e.g. Exchange2016-CU18-KB5000871-x64-en.msp.
The publication of security updates for some older CUs does not remove the necessity to update and patch with current CUs.
There is also official communication to support this update, including steps to remediate issues with updates and steps to perform analysis (many people overlook the recommendation to run the update elevated for some reason). This deck can be found here: March 2021 Exchange Server Security Update – v1.2.65 – EN.pdf (thanks Chris Lehr).
Mitigations I would also recommend the official follow-up post, which not only has been updated since the original post, but also includes mitigations for organizations which cannot deploy the update yet:
A script to configure IIS rewrite rules to block cookies used in the attack (mitigates CVE-2021-26855).
Disabling UM Services (mitigates CVE-2021-26857).
Disabling ECP application pool (mitigates CVE-2021-27065).
Disabling OAB application pool (addresses CVE-2021-26858).
Needless to say, steps like disabling ECP or OAB impacts client functionality.
Finally Since some people are discovering artifacts of HAFNIUM dating before Microsoft’s official communication, people have been wondering how long this has been going on. For those interested, Krebson Security has published an article with a concise timeline of the events related to this attack.
A quick blog on an updated security publication for Exchange Server 2016 and 2019. This publication addresses the following vulnerability:
CVE-2021-1730: Microsoft Exchange Server Spoofing Vulnerability
A spoofing vulnerability exists in Microsoft Exchange Server which could result in an attack that would allow a malicious actor to impersonate the user.
As mentioned in the CVE report, this vulnerability can be mitigated in Exchange 2016 and Exchange 2019 by implementing a separate namespace for inline images. These images are served when using Outlook Web Access. Since I never see customers implementing this option, I will repeat these steps below to bring this to your attention.
First, pick a namespace to serve these images from, e.g. img.mail.contoso.com. Create a CNAME for this entry in the DNS, and point it to your OWA namespace, for example img.mail.contoso.com. Add this namespace to your existing SSL certificate (SAN) unless you are using a wildcard certificate and the chosen namespace is covered by it.
Next, configure the InternalDownloadHostName and ExternalDownloadHostName properties from OWAVirtualDirectory configuration, e.g.
Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU17 to Exchange 2016 CU16. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU6-KB4588741-x64-en.msp.
Also, run the Security Update from an elevated command prompt, to prevent issues during installation. And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production.
Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU17 to Exchange 2016 CU16. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU6-KB4588741-x64-en.msp.
Also, run the Security Update from an elevated command prompt, to prevent issues during installation. And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production.
Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU17 to Exchange 2016 CU16. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU6-KB4588741-x64-en.msp.
Also, run the Security Update from an elevated command prompt, to prevent issues during installation. And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production.
A quick blog on security updates for Exchange Server 2016 and Exchange Server 2019 released September 8th. These fixes address the following vulnerability:
CVE-2020-16875: Exchange Memory Corruption Vulnerability A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet arguments. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. Exploitation of the vulnerability requires an authenticated user in a certain Exchange role to be compromised. The security update addresses the vulnerability by correcting how Microsoft Exchange handles cmdlet arguments.
The exploits can be fixed by single security update, which you can find in the table below per current Exchange version.
Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU17 to Exchange 2016 CU16. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2016-CU17-KB4577352-x64-en.msp.
Also, run the Security Update from an elevated command prompt, to prevent issues during installation. And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production.
Update 22feb2021: Added note about enabling SMTP Authentication.
Not too long ago, the Exchange product group enabled Modern Authentication (or OAuth2) support for IMAP and SMTP in Exchange Online, and shortly after for POP3 as well. This support was much needed with the imminent deactivation of Basic Authentication. With Modern Authentication available, vendors, developers as well as organizations running custom scripts are given time to adopt Modern Authentication where applicable.
By delaying the original end date of Basic Authentication from October 13, 2020 to Q3’ish 2021 due to the Corona situation, the adoption period is increased significantly. That does not mean however developers and organizations can sit back and relax: Act sooner rather than later, the end of Basic Authentication is nigh.
The benefits of Modern Authentication are of course that it is a more secure model (e.g. resistant to password spray attacks), as well that it can leverage Microsoft 365 functionality like Conditional Access to limit protocols to certain locations.
That said, in this article I will show you how to approve usage of a popular 3rd party e-mail application Thunderbird, using IMAP protocol in conjunction with the Modern Authentication scheme. The procedures below have been run against Thunderbird 78.0b4 on Windows as well as Ubuntu.
Third Party Applications Before we move on to Thunderbird, we first make sure the organization settings allow for third party applications to access your mailbox Exchange Online. This process has been blogged about for common popular applications, such as the native iOS Mail app or the Gmail app on Android. So, how to go ahead if your organization restricts access to third party applications, and they only want to allow specific applications, which is of course good practice.
The easiest way to add Thunderbird to the allowed applications and grant consent to the organization, is by constructing an admin consent URL. To construct the consent URL, take the following URL:
Replace <TenantID> with your Tenant ID. This piece of information can be found under the Azure Active Directory blade in the Azure portal.
Replace <AppID> with the Application ID (sometimes also referred to as Client ID) of the application you want to provide consent for. As we can see in the table below, the ID of Thunderbird is 08162f7c-0fd2-4200-a84a-f25a4db0b584.
Application
ID
Thunderbird
08162f7c-0fd2-4200-a84a-f25a4db0b584
Gmail app
2cee05de-2b8f-45a2-8289-2a06ca32c4c8
iOS Accounts (Apple Mail app)
f8d98a96-0999-43f5-8af3-69971c7bb423
Open your browser, and visit this URL as an administrator. You will be greeted with a consent form, in which you will be asked to accept for your organization. Because the redirect_uri is empty here, you will likely be send to a non-existing location after giving consent, but that’s OK.
When you look at the Enterprise Applications blade in the Azure Portal, you will notice the Thunderbird app has been added. Here you can further customize it, like any enterprise application supporting Modern Authentication, e.g.
Restrict access to specific users or groups.
Use Conditional Access to restrict access to certain locations.
Another thing to note is that permissions for Thunderbird app will have been translated to the following Graph permissions:
API
Permission
Type
Microsoft Graph
Read and write access to mailboxes via IMAP.
Delegated
Microsoft Graph
Read and write access to mailboxes via POP.
Delegated
Microsoft Graph
Read and write access to mailboxes via SMTP AUTH.
Delegated
Microsoft Graph
Sign in and read user profile.
Delegated
We should now be ready on the back-end.
Thunderbird Now as an end user, start Thunderbird. Do not start configuring the account yet, as we first need to modify a Thunderbird setting to allow for successful Modern Authentication through a browser popup. Click the ‘hamburger’ menu to open the Options window. Scroll all the way down, and open the Config Editor. Click ‘I Accept the risk’. In the settings overview, set General.UserAgent.CompatMode.Firefox setting to True:
Preference Name
Status
Type
Value
general.useragent.compatMode.firefox
modified
boolean
True
Close the Config Editor and Preferences tab. We can now set up our account in Thunderbird.
Select Add Mail Account, and enter your name and e-mail address. You can leave the password empty, as we will be using an Oauth token which we will retrieve later on. Press Continue to have Thunderbird figure out where your mailbox is hosted. When it properly discovers the mailbox location, it will set the configuration as follows:
If Thunderbird can’t figure out your settings (for some reason the Windows build could, but the Ubuntu build couldn’t), configure them as indicated above. We can’t select OAuth2 for authentication here, so leave Authentication as is; we will correct this right after we click Done.
Note: Configure manually would be the place you expect to set authentication to OAuth2 straight away, but with the build we used, the OAuth2 option is not available from the manual account setup dialog. Therefore, we need to set up the account and correct settings afterwards.
In the Server Settings window related to your account, select OAuth2 authentication:
In the Outgoing Server (SMTP) settings, select Offic365 (Microsoft) – smtp.office365.com, click Edit and set authentication for outbound SMTP to OAuth2 as well. Note: The Thunderbird build running on Ubuntu doesn’t provide the OAuth2 authentication option for SMTP.
When finished, click ‘Get Messages’. The familiar Microsoft 365 authentication browser dialog should show up. After signing in, the next question will be to grant consent to the Thunderbird application to it can access your mailbox data and send e-mail:
Note that this dialog can not be suppressed, as currently only interactive applications are supported. If you are working on an app or script which needs unattended access, please use Graph API.
After the user provides consent, Thunderbird is ready and will start fetching your default folders and mail items. If you want to view additional folders, you need to subscribe to them by right-clicking the account and picking Subscribe. Only folders with mail-items are supported, despite you can select every folder in your mailbox including Calendar or Contacts.
Note: If you encounter problems sending messages, please check the CASMailbox setting SmtpClientAuthenticationDisabled. If it is set to $true, you need to disable it to enable SMTP authentication, e.g.
Logging If you have people in your organization requiring some form of proof that Modern Authentication is being used, you can use the Enterprise Applications / Sign-Ins view from the Azure Active Directory portal.
Alternatively, you can use Thunderbird’s built-in logging capabilities. To accomplish the latter, set the following environment variables before starting Thunderbird:
![clip_image001[14]](https://eightwone.files.wordpress.com/2020/07/clip_image00114.png "clip_image001[14]")
![clip_image001[18]](https://eightwone.files.wordpress.com/2020/07/clip_image00118.png "clip_image001[18]")
