Hello,
Thank you for contacting the Microsoft Security Response Center (MSRC). We appreciate the time taken to submit this assessment. MSRC has investigated this issue and concluded that this does not pose an immediate threat that requires urgent attention. The display of the sender message header could be forged or omitted just as easily as the from header.
Additionally, while it’s true that SMTP/MX can be easily spoofed, it’s the burden of the receiving mail provider to check the content and origin of messages. Any mail genuinely originating from Microsoft can be authenticated using SPF and DKIM, making this a failing of the mail service in not rejecting the message or sending it to a junk mail folder.
For protections like MX records, these can usually be bypassed and on their own do not fully protect against spoofing. Some organizations will protect against this by setting up a connector that limits intake IP ranges. This is documented as example 3 in this topic: https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-for-secure-mail-flow-with-a-partner or flagging items as external versus internal. While we have made some clarification notes on multiple pages, most of them are included here: https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/use-connectors-to-configure-mail-flow
For other settings I recommend reaching out to support. They can help you get protections in place that may help you filter these types of spoofed emails.
As such, this thread is being closed and no longer monitored. We apologize for any inconvenience this may have caused. If you believe this to be a misunderstanding of the report, submit a new report at https://aka.ms/secure-at Please include:
- Relevant information previously provided in your initial report
- Detailed steps required to consistently reproduce the issue
- Short explanation on how an attacker could use the information to exploit another user remotely
- Proof-of-concept (POC), such as a video recording, crash reports, screenshots, or relevant code samples
For more information on what qualifies as a security vulnerability please see the following: Definition of a Security Vulnerability: https://www.microsoft.com/msrc/definition-of-a-security-vulnerability
We thank you again for taking the time to submit this report!
Regards, -C MSRC