Ghost-Sender Flaw Lets Attackers Spoof Any Email Address Through Microsoft Exchange — SPF, DKIM, and DMARC All Bypassed

Swiss cybersecurity firm InfoGuard has published research on "Ghost-Sender," a spoofing weakness in Microsoft Exchange that allows attackers to deliver email appearing to come from any sender — including an organization's own internal addresses — with no warnings shown to the recipient.

The vulnerable configuration is common: organizations using Exchange Online, or on-premises Exchange in hybrid mode, with a third-party mail server or spam filter set as their MX record. In that setup, Exchange Online accepts incoming mail by default, and an attacker needs nothing more than a one-line PowerShell command to send a message as whatever sender they choose. The spoofed sender's SPF, DKIM, and DMARC policies are irrelevant — the mail is delivered cleanly regardless.

The impersonation is convincing enough that for internal senders, Outlook resolves the spoofed address to the real user's profile picture. InfoGuard demonstrated mail arriving as Microsoft's official no-reply account; the same mechanics support fake invoices from legitimate billing addresses or fraud instructions sent as the CEO's actual internal email.

Widespread Exposure, Active Abuse

InfoGuard found that fewer than half of organizations with an external-facing MX record have any mitigation applied. Microsoft's own configuration analyzer surfaces no warnings for vulnerable setups, and neither Enhanced Filtering nor the Strict and Standard Exchange protection presets prevent the technique.

More seriously, InfoGuard reports that according to Microsoft support, this issue or an adjacent one appears to be under active abuse — and that Microsoft deployed, then rolled back, a mitigation for the spoofing behavior the researchers observed.

The disclosure history won't reassure defenders. InfoGuard reported the issue to MSRC in April; Microsoft closed it as a non-security case and routed the firm to general support. On May 29, support characterized Ghost-Sender as a known architectural limitation rather than a product vulnerability, suggesting organizations change their MX record to point at Microsoft 365 directly. Microsoft did not respond to press requests for comment.

Mitigations

Two configurations close the gap for organizations that need to keep a third-party gateway in front of Exchange. The first is a partner organization connector that validates inbound mail by IP address or certificate. The second is a mail flow rule quarantining any message where the X-MS-Exchange-Organization-AuthAs header is not set to Internal and the sending IP isn't an expected gateway address. InfoGuard additionally recommends disabling the Direct Send feature, which independently blocks internal spoofing, and has released a testing tool so organizations can verify their domain's exposure and the effectiveness of applied mitigations.

Detection after the fact is hard. InfoGuard notes there are no reliable universal indicators given the variety of Exchange configurations; the practical option is reviewing Received headers on inbound mail for discrepancies in the gateway flow, since correctly forging that path requires an attacker to know internal IP addresses and hostnames along the mail route.

The Bigger Picture

Email authentication is widely treated as a solved problem — publish SPF, sign with DKIM, enforce DMARC, done. Ghost-Sender is a reminder that those controls protect the path mail should take, not every path it can take. A routing-layer gap in a hybrid architecture quietly nullifies all three, and Microsoft's classification of it as a limitation rather than a vulnerability means no patch is coming: the fix is configuration, and the burden is on each organization to apply it. If your MX record points anywhere other than Microsoft 365, test your exposure now.