Customer Advisory: Unauthenticated Access vs. Privilege Escalation: Two Critical Exchange Server Vulnerabilities

Executive Summary:

Microsoft Exchange remains a prime target for attackers, with two recent vulnerabilities highlighting different but equally critical risks. The first is an active phishing technique abusing the M365 Direct Send feature, allowing attackers to send emails that appear to originate from within an organization. This method bypasses standard email authentication and has already been exploited in the wild, leading to a rise in highly convincing credential-harvesting campaigns.

The second is a high-severity privilege escalation flaw, CVE-2025-53786, which is not yet exploited in the wild but is considered a grave risk by CISA. This post-exploitation vulnerability allows an attacker who already has administrative access to an on-premises Exchange server to move laterally into the connected cloud environment, potentially compromising the entire hybrid infrastructure. Organizations must understand their unique exposure to both vulnerabilities and prioritize patching and mitigation efforts accordingly to secure this critical infrastructure.

M365 Direct Send Abuse: The Attack and Mitigation

Direct Send is a method for an application or device to send email to an organization’s internal mailboxes without authentication. This setting can be disabled to prevent spoofing and is used for things like a multifunction device sending a scanned document to an internal mailbox.

Direct Send is enabled by default in Microsoft 365 tenants, and does not require authentication with a certificate or login credentials (username and password). Emails sent via Direct Send can only be delivered to recipients of the organization’s internal Microsoft 365 or Office 365. These conditions allow for devices and applications to send emails within an organization’s internal Exchange Online organization without needing to authenticate, as long as the recipient is also within the same Microsoft 365 or Office 365 tenant. However, Microsoft is introducing a feature to disable Direct Send. Microsoft is rolling out the feature for general availability expected in September 2025.

Summary of the Attack:

The M365 Direct Send feature allows unauthenticated devices and applications (like printers) to send emails to internal recipients. Threat actors have weaponized this by sending malicious, spoofed emails directly to an organization’s M365 smart host. Because these emails appear to come from an internal source and are routed through Microsoft’s own infrastructure, they bypass standard email authentication protocols (SPF, DKIM, DMARC) and third-party security filters. The emails often contain highly convincing phishing lures, such as fake voicemail notifications with QR codes, designed to steal credentials.

Security Strategy:

• Restrict Direct Send: The most effective defense is to disable or restrict the Direct Send feature. Use the “Reject Direct Send” option in the Exchange Admin Center. If you have legitimate devices require Direct Send, configure specific mail flow rules with IP address restrictions to only allow trusted sources.
• Enforce Email Authentication: Configure a strict DMARC policy with p=reject and ensure your SPF records use a “hard-fail” (-all) to prevent spoofing.
• Create Mail Flow Rules: Implement a rule that flags or quarantines inbound emails appearing to be from an internal sender but originating from an external source.
• User Training: Educate employees to be cautious of all unexpected emails, especially those with QR codes or suspicious attachments, and to verify requests through an alternative, trusted channel.

Deepwatch has the following coverage for these MITRE Attacks provided the correct logs are sent to your Splunk under DRS 2.0. Deepwatch customers can view full coverage details in the Security Center.

The vulnerability’s exploitation chain can be broken down into the following key MITRE ATT&CK techniques:

Deepwatch Coverage for Direct Send Phishing Techniques

MITRE ATT&CK Technique	Description
Phishing (T1566)	Using email to deliver malicious content, such as links or attachments, that appears to be from a legitimate source.
Impersonation (T1656)	Faking a trusted identity (e.g., an internal user’s email address) to make malicious emails appear legitimate.
Email Spoofing (T1672)	Faking a sender’s identity by modifying email headers, often bypassing SPF, DKIM, and DMARC.
User Interaction with Phishing Content	User-related actions following a successful phishing delivery.

Sources:

• https://techcommunity.microsoft.com/blog/exchange/introducing-more-control-over-direct-send-in-exchange-online/4408790 
• https://techcommunity.microsoft.com/blog/exchange/direct-send-vs-sending-directly-to-an-exchange-online-tenant/4439865 

• https://www.darkreading.com/cyber-risk/phishers-abuse-m365-direct-send-to-spoof-internal-users 
• https://www.varonis.com/blog/direct-send-exploit 

CVE-2025-53786: The Privilege Escalation Vulnerability

Summary of the Attack: This high-severity vulnerability affects on-premises Exchange Servers in hybrid environments. It is a post-exploitation flaw, meaning an attacker must already have administrative access to the on-premises server. The vulnerability stems from the shared service principal used for authentication between the on-premises and cloud environments. An attacker can exploit this shared trust to forge tokens, allowing them to escalate privileges and move laterally into the Microsoft cloud to impersonate any hybrid user and access resources in Exchange Online and SharePoint.

Security Strategy:

1. Install the Hotfix: You must first install the April 2025 Hotfix or a later update. These hotfixes are a prerequisite for the new security architecture. You can download the hotfixes for your specific Exchange Server version from the Microsoft Download Center:
   • Exchange Server 2019 CU14: Download link for KB5050673
   • Exchange Server 2019 CU15: Download link for KB5050672
2. Separate Service Principals: This is the core mitigation step. The hotfix enables the use of a new, dedicated Exchange hybrid app, which breaks the shared trust relationship. After installing the hotfix, you must run a PowerShell script to transition from the legacy shared service principal to the new dedicated app. Microsoft provides documentation and the ConfigureExchangeHybridApplication.ps1 script for this purpose. If you’re unsure if you’ve done this, or if you previously configured hybrid authentication but no longer use it, run the script in “Service Principal Clean-Up Mode” to remove any lingering credentials from the old shared service principal. Always remember to follow the configuration instructions published by Microsoft.
3. Check for Compromise: Use the Exchange Server Health Checker script to assess your environment and identify any servers that have not been updated. The script can also help you determine the Cumulative Update level of your servers. Run this script both before and after applying the hotfix to validate that your changes have been successfully implemented.
4. Disconnect End-of-Life Servers: CISA highly recommends disconnecting any Microsoft Exchange or SharePoint servers that have reached their end-of-life status. These unpatched servers pose a significant risk and should not be connected to the internet.

• Follow CISA’s Directives: While aimed at federal agencies, all organizations should follow CISA’s recommendations and apply these mitigations promptly to protect their hybrid environments.

The vulnerability’s exploitation chain can be broken down into the following key MITRE ATT&CK techniques:

MITRE ATT&CK Mapping for CVE-2025-53786

MITRE ATT&CK Tactic	Technique ID & Name	Description
Privilege Escalation (TA0004)	T1068: Exploitation for Privilege Escalation	An attacker with on-premises administrative access exploits the shared service principal between Exchange Server and Exchange Online to forge trusted tokens, escalating privileges within the cloud environment.
Lateral Movement (TA0008)	T1078: Valid Accounts	By forging tokens, the attacker can impersonate any hybrid user, including high-privileged accounts, to move laterally and access resources in the cloud environment.
	T1550: Use Alternate Authentication Material	The attacker uses a certificate credential to request Service-to-Service (S2S) tokens, which serve as an alternate form of authentication to bypass standard credentials and authenticate as another entity.

Sources:

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53786 
• https://techcommunity.microsoft.com/blog/exchange/exchange-server-security-changes-for-hybrid-deployments/4396833 
• https://learn.microsoft.com/en-in/Exchange/hybrid-deployment/deploy-dedicated-hybrid-app
• https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/

Conclusion

The Exchange server continues to be a high-value target for threat actors. By understanding the different attack vectors—from unauthenticated email spoofing to post-exploitation privilege escalation—organizations can build a resilient defense. A proactive approach that combines technical mitigations, such as patching and hardening configurations, with user awareness training is essential to protect against both external and internal threats to this critical infrastructure.

↑