A recently discovered vulnerability in Microsoft Exchange has left organizations vulnerable to email spoofing attacks, allowing malicious actors to bypass standard security protocols and deliver emails directly to users' inboxes without warnings. The "Ghost-Sender" flaw, identified in June 2026, affects both Exchange Online and on-premises deployments in hybrid configurations, potentially compromising email integrity and trust.

What Happened

The vulnerability was discovered by researchers who found that a misconfiguration in Microsoft Exchange allowed attackers to spoof emails from any sender. This flaw enables malicious actors to bypass SPF, DKIM, and DMARC policies, delivering emails directly to users' inboxes without warnings. The misconfiguration is widespread, with evidence of active exploitation in the wild.

According to Dark Reading, the "Ghost-Sender" vulnerability allows attackers to exploit a misconfiguration in Microsoft Exchange to spoof emails from any user, leading to potential phishing attacks. This allowed them to escalate privileges by impersonating internal users, facilitating lateral movement within the organization. They established command and control by embedding malicious links or attachments in spoofed emails.

The attack path analysis reveals that attackers exploited a misconfiguration in Microsoft Exchange to spoof emails from any user, leading to potential phishing attacks. This allowed them to escalate privileges by impersonating internal users, facilitating lateral movement within the organization. They established command and control by embedding malicious links or attachments in spoofed emails.

Background and Context

The "Ghost-Sender" vulnerability is not an isolated incident. In November 2024, Microsoft disclosed a high-severity Exchange Server vulnerability that allows attackers to forge legitimate senders on incoming emails and make malicious messages more effective. The security flaw (CVE-2024-49040) impacts Exchange Server 2016 and 2019.

Solidlab security researcher Vsevolod Kokorin discovered the vulnerability and reported it to Microsoft earlier this year. According to Kokorin, "The problem is that SMTP servers parse the recipient address differently, which leads to email spoofing." He also noted that some email providers allow the use of symbols < and > in group names, which does not comply with RFC standards.

Kokorin's research revealed that during his investigation, he did not find a single mail provider that correctly parses the 'From' field according to RFC standards. Microsoft has acknowledged this issue and released several updates during this month's Patch Tuesday to add exploitation detection and warnings banners.

Why it Matters to the Industry

The "Ghost-Sender" vulnerability poses significant risks to organizations, particularly those in the adult industry that rely heavily on email communication. Email spoofing attacks can lead to phishing scams, data breaches, and unauthorized access to sensitive information. The vulnerability's impact is not limited to Exchange Online or on-premises deployments; it affects both configurations.

The widespread adoption of Microsoft Exchange in the adult industry makes this vulnerability particularly concerning. Adult-industry platforms and operators must take immediate action to review and secure their email configurations, implementing strict sender verification protocols to mitigate this risk. Failure to do so may result in compromised email integrity and trust, as well as potential phishing attacks and data breaches.

What Comes Next

Microsoft has not patched the vulnerability and will accept emails with malformed headers. However, Exchange servers now warn of exploitation, adding a warning to malicious emails after installing the Exchange Server November 2024 Security Update (SU). Up-to-date Exchange servers will also add a warning to the body of any emails it detects as having a forged sender.

Organizations must review their email configurations and implement strict sender verification protocols to mitigate this risk. This includes reviewing SPF, DKIM, and DMARC policies, as well as implementing custom mail flow rules to reject phishing emails attempting to exploit this flaw.

Key Facts

  • The "Ghost-Sender" vulnerability affects both Exchange Online and on-premises deployments in hybrid configurations.
  • The vulnerability allows attackers to spoof emails from any sender, bypassing standard security protocols.
  • Microsoft has not patched the vulnerability but will accept emails with malformed headers.
  • Exchange servers now warn of exploitation, adding a warning to malicious emails after installing the Exchange Server November 2024 Security Update (SU).
  • Organizations must review their email configurations and implement strict sender verification protocols to mitigate this risk.

The "Ghost-Sender" vulnerability highlights the importance of reviewing and securing email configurations. Adult-industry platforms and operators must take immediate action to protect themselves from potential phishing attacks, data breaches, and unauthorized access facilitated through email spoofing.