Ghost-Sender: universal email spoofing against Exchange Online

👻 Ghost-Sender: universal email spoofing against Exchange Online

InfoGuard Labs researchers described an Exchange Online misconfiguration that allows attackers to send emails on behalf of any domain—internal or external—bypassing SPF, DKIM, and DMARC checks.

If a company uses Exchange Online or a hybrid Exchange setup with an external MX record — such as a third‑party mail gateway or antispam service — messages can reach the recipient server bypassing the expected filtering chain and go directly to users'inboxes.

The authors believe the issue is widespread: more than 20% of tested Exchange Online domains in bug bounty programs were vulnerable, and nearly half of organizations with external MX records hadn't implemented the required protections.

Microsoft referred to the issue as a