CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 10, 2026

Microsoft Exchange Flaw Lets Attackers Spoof Any Email Address

Dark Reading Archived Jun 10, 2026 ✓ Full text saved

"Ghost-Sender" uses Exchange Online or on-premises in hybrid mode with a third-party mail server or spam filter to achieve this level of spoofing.

Full text archived locally
✦ AI Summary · Claude Sonnet


    VULNERABILITIES & THREATS СLOUD SECURITY IDENTITY & ACCESS MANAGEMENT SECURITY APPLICATION SECURITY NEWS Microsoft Exchange Flaw Lets Attackers Spoof Any Email Address "Ghost-Sender" uses Exchange Online or on-premises in hybrid mode with a third-party mail server or spam filter to achieve this level of spoofing. Alexander Culafi,Senior News Writer,Dark Reading June 9, 2026 4 Min Read SOURCE: HADELPRODUCTIONS VIA GETTY IMAGES A weakness in certain configurations of Microsoft Exchange enables attackers to send an email from any user to a vulnerable organization. That's according to Swiss cybersecurity firm InfoGuard, which published research today concerning a new vulnerability it described as "Ghost-Sender." Specifically, organizations that use Exchange Online or on-premises in hybrid mode with a third-party mail server or spam filter as its mail exchange (MX) record are vulnerable to this level of spoofing. MX Records are a type of DNS record that directs email messages to the specific server responsible for an organization's domain. "This is regardless of the configured SPF, DKIM, and DMARC policies of the spoofed sender's domain, and the emails are delivered without any further warning," InfoGuard puts in a blog post. "It is possible to send emails from anyone, including external and internal email addresses. For internal senders, Outlook even resolves the sender's profile picture," InfoGuard adds, showing one example where a user received an email claiming to be from Microsoft's official noreply account. An attacker could send fake bills from an official billing email to an organization or conduct phishing attacks or fraud using the internal CEO's actual email address. Related:Blame AI: Patch Tuesday Hits Record 206 CVEs Researchers claim this is a widespread misconfiguration, and that while mitigations are available, fewer than half of organizations with an external-facing MX record have a mitigation applied.  More concerning, "Based on information provided by Microsoft support, this issue or an adjacent one appears to be actively being abused," the blog post read. InfoGuard claimed Microsoft deployed and rolled back a mitigation to the spoofing attack it observed. How Ghost-Sender Works By default, InfoGuard says, Exchange Online accepts any incoming emails if an external MX record is used by the organization. All an attacker needs to do at that point is send a one-line PowerShell command that sends an email from whatever user the attacker wishes. "If an external MX record is used and no further configurations are made, the organization is vulnerable to Ghost-Sender," InfoGuard says. It's so simple and straightforward that the company even created a testing tool to scan domains and send emails to authorized users.  The researchers say Microsoft's own configuration analyzer fails to show warnings or recommendations, nor does it offer any other warnings that a configuration may be vulnerable. Enhanced filtering allegedly doesn't prevent the issue either, nor do the "Strict" and "Standard" Exchange protection settings. Related:Russian Attackers Weaponize WinRAR Flaw Against Ukrainian Orgs Organizations using Exchange Online or on-premises Microsoft Exchange in hybrid mode can mitigate the threat of Ghost-Sender in one of two ways. They can set up a partner organization connector that applies to emails being sent to any organization or rejects emails based on IP or certificate-based validation.  Or, organizations can create a mail flow rule that "quarantines all emails where the X-MS-Exchange-Organization-AuthAs header is not set to Internal and where the IP address does not belong to one expected to send emails to Exchange Online (such as the mail server the MX record points to)."  Organizations can test the quality of the mitigations through the aforementioned testing tool InfoGuard provided. Researchers also recommend disabling the Direct Send feature because doing so protects against internal spoofing on its own. Ghost-Sender's Timeline and a Questionable Response In a blog "timeline" section, InfoGuard claimed it initially reported the issue to Microsoft Security Response Center (MSRC) in April, but the vendor closed the issue as a non-MSRC case because the company allegedly didn't view it as a security vulnerability.  InfoGuard was directed to general Microsoft support and was seemingly met with irregular communication until May 29 when, the blog post claimed, Microsoft general support said Ghost-Sender was not a product vulnerability but instead a known architectural limitation. "They suggest either changing the MX record to M365 or adding additional headers in forwarded emails (which doesn’t fix the issue)," the company said. Related:Check Point VPN Flaw Exploited Since Early May Dark Reading contacted Microsoft for comment, but the company did not provide a response by press time.  Dark Reading asked InfoGuard how organizations can tell they may have been targeted after applying mitigations. A RedTeam InfoGuard spokesperson says it's difficult to find reliable indicators of compromise due to the multitude of different Exchange licenses, tenants, and configurations that customers have. "One possible option is to check the received headers of all incoming mails for discrepancies in the mail gateway flow," the spokesperson says. "An attacker would require internal information, such as the internal IP addresses and internal host names of the appliances along the mail path, to be able to spoof this information correctly during a ghost-send." About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere.  At Dark Reading, he covers a variety of cybersecurity topics, including the cybercrime ecosystem, open source security, and the intersection between AI and threat actors. In his spare time, Alex hosts the weekly Nintendo podcast, "Talk Nintendo Podcast," and works on personal writing projects, including two previously self-published science fiction novels. He has received numerous awards, including TechTarget's Writer of the Year in 2022 as well as more than 10 Azbee awards for his reporting between 2022 and today.  Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Advanced Persistent Threats: A Practical Guide to Detection and Response The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar More Webinars You May Also Like VULNERABILITIES & THREATS Cheap Hardware Module Bypasses AMD, Intel Memory Encryption by Rob Wright NOV 25, 2025 VULNERABILITIES & THREATS Patch Now: Microsoft Flags Zero-Day & Critical Zero-Click Bugs by Jai Vijayan, Contributing Writer NOV 11, 2025 VULNERABILITIES & THREATS Microsoft Issues Emergency Patch for Critical Windows Server Bug by Rob Wright OCT 24, 2025 VULNERABILITIES & THREATS 350M Cars, 1B Devices Exposed to 1-Click Bluetooth RCE by Nate Nelson, Contributing Writer JUL 11, 2025 Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Instructure Breach Exposes Schools' Vendor Dependence byAlexander Culafi MAY 6, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Advanced Persistent Threats: A Practical Guide to Detection and Response TUESDAY, JUNE 30, 2026 @ 1:00 PM EASTERN DAYLIGHT TIME The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed TUESDAY, JUNE 23, 2026 1:00 PM EDT Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack THURS, JUNE 25, 2026, AT 1PM EST Defending in the Shadow Era: When the CVE Feed Goes Dark TUES, JUNE 16, 2026 AT 1PM EST Building SecOps That Make the Most of Every Dollar THURS, JULY 9, 2026 AT 1PM EST More Webinars AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS ANATOMY OF A DATA BREACH This comprehensive virtual event examines the main vulnerabilities and exploits that lead to enterprise data breaches, plus the latest tools and best practices for conducting incident response. BEAT HACKERS TO IT
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    Jun 10, 2026
    Archived
    Jun 10, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗