DMARCPulse
Get started — free
All posts CVE-2026-42897: Exchange Flaw Enables Email Spoofing via XSS – What DMARC Can and Cannot Do

CVE-2026-42897: Exchange Flaw Enables Email Spoofing via XSS – What DMARC Can and Cannot Do

DMARCPulse Team

A new Exchange vulnerability is being actively exploited

Microsoft has confirmed a critical vulnerability in Exchange Server: CVE-2026-42897 allows attackers to exploit a cross-site scripting (XSS) flaw to manipulate emails so they appear to come from legitimate senders. According to Microsoft, the vulnerability is already being exploited in the wild — on-premises installations are directly at risk.

For IT admins running Exchange locally, this is a serious alert. But even organizations that have already deployed DMARC, SPF, and DKIM need to understand precisely where those protections apply — and where they fall short.

What actually happens in this attack?

The vulnerability lives in the Exchange Web App (OWA) and allows an attacker to inject JavaScript through crafted requests. That code executes within the context of an authenticated session — meaning it can send or manipulate emails on behalf of the logged-in user.

The key detail: the email leaves the system as a legitimate message from the real user. It originates from the correct mail server, carries the correct sender address, and passes internal routing rules without raising any flags.

Why DMARC, SPF, and DKIM hit their limits here

DMARC, SPF, and DKIM are designed to block external domain spoofing — cases where someone outside your organization pretends to send from a domain they don’t control.

CVE-2026-42897 is a different scenario entirely:

  • SPF checks whether the sending mail server is authorized for the domain. Since the email originates from the legitimate Exchange server, SPF passes cleanly.
  • DKIM cryptographically signs the message. Since Exchange itself creates the signature, DKIM is valid.
  • DMARC builds on SPF and DKIM. When both checks pass, the message is considered authenticated — regardless of whether an attacker hijacked the session.

In short: the email is technically authentic, but the content has been manipulated. DMARC has no reason to reject it.

What this means for recipients

Recipients — internal or external — receive a message that passes every authentication check. No spam filter raises an alert, no DMARC report shows anything unusual. That makes this attack vector particularly dangerous for targeted phishing campaigns or business email compromise (BEC).

A realistic scenario: an attacker compromises an OWA session through the XSS flaw, then sends a payment request on behalf of the CFO to the finance team. The email comes from the real Exchange server, carries a valid DKIM signature, passes SPF and DMARC — and lands in the inbox.

What admins should do right now

The single most important step is patching immediately. Microsoft has released a fix — it should be applied without delay. Beyond that, several measures reduce the overall risk:

  • Apply the Exchange patch: This is not optional. Unpatched systems are actively at risk.
  • Restrict OWA access: Limit access to known IP ranges or VPN wherever feasible.
  • Enforce MFA: Multi-factor authentication prevents stolen credentials alone from being enough to hijack a session.
  • Review DMARC aggregate reports: Even though DMARC won’t block this attack, unusual sending volumes or unfamiliar IP addresses in your reports can signal abuse.
  • Raise internal awareness: Employees should know that even apparently legitimate internal emails can be questioned — especially payment requests.

What DMARC still delivers

It would be wrong to write off DMARC because of this vulnerability. DMARC remains essential for protecting against external domain spoofing — the classic case where attackers send from your domain using infrastructure they control.

Organizations that haven’t set their DMARC policy to p=reject are leaving that attack vector wide open. And without active reporting, you often won’t notice for weeks that your domain is being used for phishing.

DMARCPulse shows you in real time which sources are sending email on your behalf — and whether any patterns suggest abuse. That doesn’t replace an Exchange patch, but it gives you the visibility to make informed decisions.

Wrapping up

CVE-2026-42897 is a clear reminder that email security is built in layers. DMARC, SPF, and DKIM protect your infrastructure from the outside — but they cannot stop an attack that happens inside a legitimate system. Patch management, access control, and user awareness are the decisive factors here.

Check now whether your DMARC policy is on enforcement and whether your reporting is active: Free domain check at DMARCPulse