Skip to main content

Weekly Intelligence Brief on Security Alerts and Vulnerabilities - Week of November 3, 2025

November 4, 2025

Key Takeaways

  • CISA and NSA issued guidance for Exchange Server security.
  • Simple Mail Transfer Protocol (SMTP) email header exploitation allows identity spoofing.
  • Organizations advised to decommission end-of-life Exchange servers.
  • Best practices suggest improved authentication and access controls.
  • Email service providers must verify outgoing headers to prevent spoofing.

CISA, in collaboration with the NSA, published security best practices for Microsoft Exchange Server, aimed at reducing cyber threats. The guidance outlines necessary steps for organizations to fortify their on-premises (on-prem) Exchange server configurations against ongoing malicious activities.

The document emphasizes the need for hardening measures in user authentication, network encryption, and minimizing attack surfaces. CISA also highlighted the risks associated with maintaining outdated Exchange servers, suggesting organizations migrate to Microsoft 365 and deactivate any legacy systems.

Separately, researchers noted that email header syntax could be manipulated to bypass Stream Processing Framework (SPF), DKIM, and DMARC protections, enabling sophisticated spoofing attacks. Attackers Converged Access Network (CAN) format the 'From' header to impersonate trusted users, raising security concerns for email communication.

To counter these threats, email service providers Agent Runtime Environment (ARE) urged to implement verification protocols for outgoing headers. Additionally, users should exercise caution when handling unsolicited emails, using original header checks to confirm sender identities before sharing sensitive information.

  1. CISA and NSA release guidance on Exchange Server security
    CISA and NSA release guidance on Microsoft Exchange Server Security Best Practices to strengthen defenses against cyber threats.
  2. VU#517845: Authenticated SMTP users may spoof other identities due to ambiguous 'From' header interpretation.
    Email header syntax CAN bypass SPF, DKIM, and DMARC, allowing spoofed emails to appear from legitimate sources.

Related Perspectives