Phishing, business email compromise (BEC), CEO fraud, ransomware - almost every major cyber campaign starts with an email. Accordingly, companies invest heavily in mail gateways, spam filters and protocols such as SPF, DKIM and DMARC.
However, as part of recent security analyses, the InfoGuard Red Team has identified a widespread misconfiguration in Microsoft Exchange Online. Under certain circumstances, attackers can deliver emails directly to the tenant without going through the upstream email security solution. This allows established protection mechanisms to be bypassed and emails to be delivered with any internal or external sender addresses.
The consequences can be serious: Targeted phishing attacks can be carried out via the company's own mail domain. For example, attackers could pretend to be the CEO and use deceptively genuine internal emails to trick employees into disclosing information or carrying out actions.
With certain Exchange Online configurations, emails may be delivered directly to the tenant without going through the upstream email security solution. This bypasses established protection mechanisms such as SPF, DKIM, DMARC and spam filters and external attackers can impersonate both internal and external senders.
According to Microsoft, this is not a product vulnerability, but a configuration situation in the interaction between Exchange Online and upstream mail gateways.
Typically affected are organizations that:
use Exchange Online (also in hybrid mode with Exchange On-Premises), and
route incoming emails via an external mail gateway or a third-party security solution.
According to our observations, this affects a wide range of environments, including large and well-positioned organizations in terms of security.
Email security does not end with the purchase of a product, but begins with precise configuration and continuous monitoring. The ghost sender scenario is a good example of how quickly blind spots can creep into complex architectures - even in organizations with high security requirements.
Those who act now can:
Close critical configuration gaps,
effectively make impersonation attacks more difficult
and strengthen your own cyber resilience in the long term.
InfoGuard has developed ghost-sender.com to enable a quick initial check.
Our platform developed specifically for this scenario makes it possible to test mail domains specifically for possible ghost sender risks. A detailed technical article is also available on the InfoGuard Labs blog.
Domain check
Check your mail domains on ghost-sender.com.
Involve specialists
If you are affected, contact your Microsoft partner, email provider or the operator of your email infrastructure to check and implement the recommended protective measures.
Inform those responsible
Inform the people responsible for your email infrastructure within your organization about the results.
Important: Please note that the necessary configuration adjustments depend on your individual Exchange online and mail gateway environment and cannot be made centrally by InfoGuard.
Check your mail domains now. This will give you immediate clarity as to whether your organization is affected by the configuration situation described, identify the need for action at an early stage and initiate the next steps together with your responsible specialist departments.
In the InfoGuard Labs blog, we shed light on the technical background of the ghost sender scenario in detail: from the relevant Exchange Online and mail gateway configurations to the specific attack paths and protective measures.
The technical deep dive provides a well-founded classification of the cyber risks described and shows which measures you should consider in your environment.
Sources & references
- Ghost sender
- InfoGuard LABS: Universal Email Spoofing against Exchange Online
- NCSC, Cyber Security Hub (CSH): [Advisory] Microsoft Exchange: Arbitrary Email Spoofing
Caption: Image generated with AI