Exchange Online Getting Better E-Mail Tampering Security Protections
Exchange Online users soon will be getting some security enhancements that will enforce the use of Transport Layer Security (TLS) encryption for e-mails and ward off so-called "man-in-the-middle" attacks.
The enhancements, based on the implementations of emerged security standards, are spelled out in a couple of announcements issued this week by Microsoft's Exchange team. For the most part, IT pros won't have to do anything to get these Exchange Online security benefits.
First, Microsoft indicated that it now currently supports Simple Mail Transfer Protocol (SMTP) Mail Transport Agent (MTA) Strict Transport Security (STS) (abbreviated as "MTA-STS") in the Exchange Online service, as described this Feb. 2 announcement.
Second, Microsoft has plans to add support for Domain Name System (DNS)-based Authentication of Named Entities (DANE) for SMTP, as well as support for Domain Name System Security Extensions (DNSSEC), in the Exchange Online service. They are two security protocol enhancements that are expected to get implemented this year, per this Feb. 1 announcement.
In a nutshell, SMTP is an old e-mail protocol that's permits text exchanges without much security. TLS can be used to encrypt these messages, but its use is not mandatory. Consequently, e-mail can be tampered with, or redirected from its intended destination server, Microsoft explained.
The MTA-STS standard was developed by industry players and "the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG)" industry coalition with the aim of enforcing TLS encryption use for e-mails. Microsoft has tested MTA-STS for Exchange Online and is now implementing it for all outgoing messages.
"We have been validating our implementation and are now pleased to announce support for MTA-STS for all outgoing messages from Exchange Online," Microsoft announced this week.
Best of all, IT pros overseeing Exchange Online don't have to do anything to get the outbound e-mail protection enabled by MTA-STS.
"All outbound Exchange Online email traffic is covered by this new security feature, and there's nothing admins need to do to leverage it," Microsoft indicated.
MTA-STS permits messages to go through when just one party is using it. However, if both parties are using MTS-STS and validation fails, then the messages don't get delivered. It's possible to get reports about e-mail sending issues via the TLS-RPT standard, which wasn't explained in any detail by Microsoft.
"Microsoft has started sending TLS-RPT reports to domains that have requested them," the Exchange team indicated.
DANE for SMTP with DNSSEC Support
An even better standards approach for e-mail security than MTA-STS is using DANE for SMTP with DNSSEC. Here's Microsoft's somewhat lengthy explanation to that effect:
MTA-STS came about because of the slow roll out of DNSSEC to protect the DNS records that are associated with SMTP. MTA-STS can be seen as a lighter-weight mechanism to secure your mail flow. Although MTA-STS offers a much-needed upgrade to current SMTP protections, DANE for SMTP (with the support of DNSSEC) is the gold standard for securing SMTP connections. However, many customers might find MTA-STS good enough for their security needs.
DANE for SMTP affirms that sending and receiving servers are resistant to TLS version downgrade attacks and man-in-the-middle attacks by using TLS Authentication DNS records.
DNSSEC uses a public key cryptography scheme to ensure that the "DNS records returned to the sending server have not been tampered with and are authentic."
Microsoft plans to deploy DANE for SMTP and DNSSEC in two phases for Exchange Online users. The first phase, where the two security protocols are getting deployed for outbound e-mails, has already begun and will extend through March. The second phase, where security protocols will get applied to inbound e-mails, is expected to "start by the end of 2022."
Microsoft is planning to support diagnostic assessments of TLS connectivity issues when using these two protocols via another "TLS-RPT" reporting capability, but the details weren't explained.
IT pros don't need to do anything to get the coming security benefits of DANE for SMTP and DNSSEC, but the receiving domain needs to support those standards, otherwise it'll just default to plain TLS. Microsoft suggested talking to business partners about whether such support is enabled. Misconfigurations will result in a blocked e-mail flow, but only the administrator on the receiving domain will have the ability to fix the problem. Organizations can use the Microsoft Remote Connectivity Analyzer to find and fix issues.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.