Security Advisory: Email Spoofing Activity in Microsoft 365 and Exchange Online
Summary Magna5 has detected a trend in the widespread increase in email spoofing and phishing activity affecting Microsoft 365 and Exchange Online environments. A growing number of organizations have reported receiving spam and phishing emails that appear to originate from their own email addresses.
What Is Happening Threat actors are exploiting a default Microsoft 365 mail flow feature known as Direct Send, which allows devices and applications to send email through Microsoft's servers without authentication. Attackers are using this functionality to forge the "From" address on inbound messages, making it appear as though the recipient sent the email to themselves. Because Direct Send operates within the Microsoft 365 infrastructure, traditional email authentication protocols such as SPF, DKIM, and DMARC may not fully prevent these messages from being delivered. This does not indicate that any user's account has been compromised. The attacker does not have access to the mailbox. The "From" address is being forged externally.
What You Should Do
- Do not interact with suspicious messages. Do not click links, open attachments, or reply to emails that appear to come from your own address but contain unexpected content.
- Report it to Magna5 immediately. Submit a ticket at https://connect.magna5.com and support will review. Alternatively, you can email us at Support@magna5.com. Include a sample of the spoofed message if possible.
- Inform your staff. Receiving an email from your own address does not mean the account is compromised. Awareness reduces the risk of engaging with a phishing attempt.
Technical Background Direct Send is a mail flow method in Exchange Online that allows SMTP connections to Microsoft's MX endpoint without authentication. It was designed to support devices such as copiers, scanners, and internal applications that send email on behalf of users. By default, Exchange Online accepts these anonymous connections for any accepted domain on the tenant.
Microsoft has released updated controls to address this issue, and Magna5 has been implementing corrective action on impacted tenants.
Strengthen Your Email Security Posture Magna5 offers DMARC Management, a fully managed monitoring and management service for DMARC, SPF, and DKIM. The service helps protect your domain from spoofing, phishing, and unauthorized email use. To learn more about DMARC, SPF. and DKIM please review this article, SPF, DKIM, and DMARC Explained. To perform a test of your domain, you can use the Magna5 Email Health Check.
- General Cybersecurity & Maintenance Notifications
- Help Desk Services
Find Your Subscription
We’ll find your subscription and send you a link to login to manage your preferences.
Check Your Inbox
We’ve found your existing subscription and have emailed you a secure link to manage your preferences.
Subscribe to Status Updates
We’ll use your email to save your preferences so you can update them later.
-
Email{{ value }}
-
Slack
-
Microsoft Teams{{ value }}
Subscribe to other services using the bell icon on the subscribe button on the status page.
Unsubscribe Completely?
You’ll no long receive any status updates from Magna5 Status, are you sure?
{{ error }}
You’re Unsubscribed!
We’ll no longer send you any status updates about Magna5 Status.