Microsoft calls Exchange enterprise-grade. The Ghost-Sender authentication bypass, one of 206 vulnerabilities in the June 2026 Patch Tuesday release (Microsoft's largest single-cycle disclosure on record), allows a low-privilege authenticated user to send email appearing to originate from any address on the tenant, and that message passes DMARC validation because it transits the legitimate Exchange relay. A separate Exchange zero-day was confirmed exploited this week for cross-site scripting via Outlook Web Access and patched in the same release. The spoofed message is indistinguishable, under any header-level check currently deployed in the APAC FSI sector, from a legitimate HKMA supervisory notice.
Dark Reading's June 11 reporting on expanded China-linked and North Korean targeting of APAC financial institutions names the campaign but not the mechanism. Ghost-Sender fills it. An operator with authenticated access to a target's Exchange environment can issue a spoofed supervisory notice (a wire instruction, a data-sharing request, a breach-disclosure demand) that passes every automated header check a compliance team currently has in place. HKMA's Supervisory Policy Manual TM-E-1 specifies authentication controls for electronic banking channels; the manual addresses channel authentication, not impersonation of the supervisory authority itself by an already-authenticated internal principal. MAS TRM patch-management requirements set a 14-day window for critical vulnerabilities in licensed FSIs; for on-premises Exchange deployments running unpatched as of June 11, that clock closes June 25, 2026.