Hi Graeme, in this case the gateway is configured to perform proper tenant attribution before deciding whether to relay or not. For bounce messages, though, the configuration assumes that Microsoft does not allow spoofing the header-from domain of another 365 tenant.
Rodolfo -- [Libraesva] Rodolfo Saccani | CTO Website: www.libraesva.com<https://www.libraesva.com/> | Telephone: +39 0341350601<tel:+390341350601> From: Graeme Slogrove <[email protected]> Date: Sunday, 19 October 2025 at 22:40 To: Rodolfo Saccani <[email protected]>, [email protected] <[email protected]> Subject: RE: Spoofed malicious traffic from M365 This email is from an unusual correspondent. Make sure this is someone you trust. Hi Rodolfo, This does sound very similar to the EchoSpoofing issue reported by Proofpoint last year. https://www.proofpoint.com/us/blog/threat-insight/scammer-abuses-microsoft-365-tenants-relaying-through-proofpoint-servers-deliver<https://urlsand.esvalabs.com/?u=https%3A%2F%2Fwww.proofpoint.com%2Fus%2Fblog%2Fthreat-insight%2Fscammer-abuses-microsoft-365-tenants-relaying-through-proofpoint-servers-deliver&e=20266bc5&h=e79bf2b5&f=y&p=y> https://guard.io/labs/echospoofing-a-massive-phishing-campaign-exploiting-proofpoints-email-protection-to-dispatch<https://urlsand.esvalabs.com/?u=https%3A%2F%2Fguard.io%2Flabs%2Fechospoofing-a-massive-phishing-campaign-exploiting-proofpoints-email-protection-to-dispatch&e=20266bc5&h=088a2d09&f=y&p=y> Graeme From: mailop <[email protected]> On Behalf Of Rodolfo Saccani via mailop Sent: Friday, October 17, 2025 9:54 PM To: [email protected] Subject: [mailop] Spoofed malicious traffic from M365 We are detecting hundreds of thousands of malicious messages originated by M365 using this schema: · The attacker creates a hybrid tenant on 365 · The attacker configures the tenant to use the outbound gateway of the victim (a 365 customer who does not cooperate in validating the outbound gateway) · The attacker sends fake bounces (empty envfrom) spoofing the header-from domain of the victim My personal assumption has always been that this kind of spoofing of another Microsoft customer’s domain was not possible on 365. If someone from Microsoft thinks this is worth investigating, I can provide email samples of contacted directly. Bye Rodolfo -- [Libraesva] Rodolfo Saccani | CTO Website: www.libraesva.com<https://urlsand.esvalabs.com/?u=https%3A%2F%2Fwww.libraesva.com&e=20266bc5&h=a9a9dfba&f=y&p=y> | Telephone: +39 0341350601<tel:+390341350601> This message has been checked by Libraesva ESG and is believed to be clean. Email secured by Trustwave advanced threat protection. Learn more at https://trus.tw/mailmarshal <https://urlsand.esvalabs.com/?u=https%3A%2F%2Ftrus.tw%2Fmailmarshal&e=20266bc5&h=ee1ef51e&f=y&p=y> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. -- This message has been checked by Libraesva ESG and is found to be clean. Submit it as bad/spam<https://mail.libraesva.com/action/4cqVmm1x1RzJndq/report-as-bad> Blocklist sender<https://mail.libraesva.com/action/4cqVmm1x1RzJndq/blocklist> This message was scanned by Libraesva ESG and is believed to be clean.
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
