A spoofing vulnerability exists in Microsoft Exchange Server which could result in an attack that would allow a malicious actor to impersonate the user (CVE-2021-1730).
To prevent these types of attacks, Microsoft recommends customers to download inline images from different URL than the rest of OWA.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1730
Change Image Download URL
Basically, you need to change both the external & internal download hostname to a different domain name.
Launch the Exchange Management Shell, and execute the following commands
Set-OwaVirtualDirectory -Identity "owa (default Web site)" -ExternalDownloadHostName “Images.DeepnetID.com" Set-OwaVirtualDirectory -Identity "owa (default Web site)" -InternalDownloadHostName "Images.DeepnetID.com" Set-OrganizationConfig -EnableDownloadDomains $true
If MFA is enabled on OWA, then you must take the following steps
- URL Binding for Image Download in OWA
- HTTP Filter for Image Download in OWA
- URL Filter for Attachment Download in OWA