On 17.10.2025 at 10:54 Rodolfo Saccani via mailop wrote: > We are detecting hundreds of thousands of malicious messages originated by > M365 using this schema: > > - The attacker creates a hybrid tenant on 365 > - The attacker configures the tenant to use the outbound gateway of the > victim (a 365 customer who does not cooperate in validating the outbound > gateway) > - The attacker sends fake bounces (empty envfrom) spoofing the header-from > domain of the victim > > My personal assumption has always been that this kind of spoofing of another > Microsoft customer’s domain was not possible on 365.
Hello Rodolfo, Graeme has already mentioned Echospoofing, many other ways have been described in the past on how to spoof sender domains from large email service providers including Microsoft: - SMTP smuggling - Message forwarding (https://arxiv.org/pdf/2302.07287.pdf) - Authentication weaknesses (https://www.usenix.org/system/files/sec21-shen-kaiwen.pdf) - or simply that Microsofts Outlook intentionally spoofs the From header when forwarding meeting invites. Some of those problems have been fixed, but large and complex collaboration platform like Office365 offer a lot of possibilities for loopholes. I would go with the old programming paradigm: Never rely on information which you receive from others to be clean, correct or consistent. -- BR Oliver ________________________________ dmTECH GmbH Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe Telefon 0721 5592-2500 Telefax 0721 5592-2777 [email protected]<mailto:[email protected]> * www.dmTECH.de<http://www.dmtech.de> GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927 Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher ________________________________ Datenschutzrechtliche Informationen Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie die Kontaktdaten unserer Datenschutzbeauftragten finden Sie hier<https://www.dm.de/datenschutzerklaerung-kommunikation-mit-externen-493832>. _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
