Microsoft Office 365 boosts email security against MITM, downgrade attacks

Microsoft has added SMTP MTA Strict Transport Security (MTA-STS) support to Exchange Online to ensure Office 365 customers’ email communication integrity and security.

Redmond first announced MTA-STS’ introduction in September 2020, after revealing that it was also working on adding inbound and outbound support for DNSSEC (Domain Name System Security Extensions) and DANE for SMTP (DNS-based Authentication of Named Entities).

“We have been validating our implementation and are now pleased to announce support for MTA-STS for all outgoing messages from Exchange Online,” the Exchange Online Transport Team said today.

With MTA-STS now available in Office 365, emails sent by users via Exchange Online will only be delivered using connections with both authentication and encryption, protecting the messages from interception and attack attempts.

This new standard strengthens Exchange Online email security and solves several SMTP security problems, including expired TLS certificates, the lack of support for secure protocols, and certificates not issued by trusted third parties or matching server domain names.

Before MTA-STS, emails sent through improperly secured TLS connections were exposed to various attacks, including downgrade and man-in-the-middle attacks.

“Downgrade attacks are possible where the STARTTLS response can be deleted, thus rendering the message in cleartext. Man-in-the-middle (MITM) attacks are also possible, whereby the message can be rerouted to an attacker’s server,” the Exchange team said.

“MTA-STS (RFC8461) helps thwart such attacks by providing a mechanism for setting domain policies that specify whether the receiving domain supports TLS and what to do when TLS can’t be negotiated, for example stop the transmission.”

Microsoft provides guidance on how to adopt MTA-STS, including where to host the policy file on your domain’s web infrastructure.https://www.youtube.com/embed/VY3YvrrHXJk

DANE for SMTP support also rolling out

Redmond is still working on rolling out DANE for SMTP (with DNSSEC support), which provides better protection for SMTP connections than MTA-STS does.

“We will deploy support for DANE for SMTP and DNSSEC in two phases. The first phase, DANE and DNSSEC for outbound email (from Exchange Online to external destinations), is slowly being deployed between now and March 2022. We expect the second phase, support for inbound email, to start by the end of 2022,” said The Exchange Team on Tuesday.

“We’ve been working on support for both MTA-STS and DANE for SMTP. At the very least, we encourage customers to secure their domains with MTA-STS,” Microsoft added today.

“You can use both standards on the same domain at the same time, so customers are free to use both when Exchange Online offers inbound protection using DANE for SMTP by the end of 2022. By supporting both standards, you can account for senders who may support only one method.”

Microsoft has already secured several domains it uses for email transport as a domain owner itself, including primary domains like outlook.com, hotmail.com, and live.com. 

This ensures that all connections from senders who support MTA-STS are better protected from man-in-the-middle attacks. 

Source :
https://www.bleepingcomputer.com/news/microsoft/office-365-boosts-email-security-against-mitm-downgrade-attacks/