Ghost-Sender flaw spoofs any email in Exchange Online

Q: What has Microsoft said about it?

Microsoft initially told InfoGuard the report was 'not a vulnerability,' then — per the researchers' timeline — acknowledged an active spoofing campaign and briefly deployed and reverted a mitigation in late April 2026. On May 29, 2026 it classified the issue as 'a known architectural limitation' rather than a product vulnerability. After the public write-up, Microsoft's Security Response Center reopened the case on June 10, 2026.

A forged email that looks like it came from your bank, your CEO or Microsoft itself can now land in an Exchange Online inbox having passed every authentication check — because it never faced one. On June 9, 2026, researchers at InfoGuard Labs published Ghost-Sender, a technique that lets an attacker spoof virtually any sender against a misconfigured Microsoft 365 tenant, slipping past SPF, DKIM and DMARC entirely. Microsoft calls it “a known architectural limitation.” Here’s what actually happened, why the green-tick trust signals you rely on can’t be trusted in affected inboxes, and how to spot a forged message.

What happened — and how the spoof works

Ghost-Sender, disclosed June 9, 2026 by InfoGuard Labs researchers Lucas Dodgson, Tobias Oberdörfer and Robin Hilber, lets an attacker deliver email impersonating any sender — internal or external — to a Microsoft Exchange Online tenant, with no authentication warning. The trick: when an organization routes mail through an external service using an external MX record but leaves its inbound connector open, an attacker sends directly to the tenant’s *.mail.protection.outlook.com endpoint, bypassing both the third-party filter and the SPF/DKIM/DMARC checks that would otherwise flag the forgery.

The key word is bypass, not break. SPF, DKIM and DMARC still do their job for mail that travels the normal path. Ghost-Sender simply takes a different door: it injects the message straight into Microsoft’s receiving endpoint, where the inbound validation never runs against it. Dark Reading describes the result bluntly — attackers can spoof any email address. InfoGuard found the exposure is widespread: fewer than half of affected environments had a mitigation applied, and more than 20% of the Exchange Online domains it scanned in bug-bounty scope appeared open to the technique. This is the same authentication-bypass family as the Gmail phishing that passed SPF, DKIM and DMARC last month — different door, same broken assumption that a “verified” sender is a safe one.

Why it matters for your inbox — and what to do

If your organization uses Exchange Online behind a third-party mail filter, a phishing message can reach you carrying a perfectly trusted From line — your finance director, a known vendor, Microsoft support — with none of the usual red flags. The defensive takeaway for you as a reader: stop treating the sender name and authentication ticks as proof of identity. Verify any request for money, credentials or urgent action through a second channel before you act.

Three concrete habits. First, slow down on anything that creates urgency or asks for money or login details — fake invoices from “trusted vendors” and CEO-fraud requests are exactly what GBHackers lists as the headline abuse cases, and they work precisely because nothing in the inbox looks wrong. Second, lean on the External sender tag in Outlook where your admin has turned it on; a message claiming to be from a colleague but flagged external is an instant tell. Third, verify out of band: call the person, open the vendor’s site yourself rather than clicking, and confirm payment changes by phone — habits that defeat a spoof no matter how clean its headers look.

If you run the mail, the fix is in your hands rather than Microsoft’s. Cyber Security News and InfoGuard point to two mitigations: a Partner Organization inbound connector that only accepts mail from your filtering provider’s IPs or certificate, and a high-priority mail-flow rule that quarantines inbound messages lacking the internal-authentication header your tenant expects. Microsoft’s own posture has shifted — from “not a vulnerability” to “a known architectural limitation” on May 29, to reopening the case on June 10 after publication — but with no platform-level patch shipped, the connector lockdown is what stands between a tenant and a Ghost-Sender forgery today. It’s a sharper reminder than last week’s Exchange Online outage that the inbox you trust most is only as honest as the rules in front of it.

Alexis Dollé

Founder & Editor

Alexis Dollé, email expert for 10+ years. Founder of Email Tools. I test every email client and utility myself, then write about them the way I’d explain them to a friend — no marketing fluff, no sponsored rankings, every claim sourced.

Frequently asked questions

What is the Ghost-Sender flaw? — an Exchange Online injection that spoofs any sender past SPF/DKIM/DMARC

Ghost-Sender is a weakness in how Microsoft Exchange Online accepts inbound mail, published June 9, 2026 by InfoGuard Labs. When a tenant routes its mail through an external service (a third-party spam filter) using an external MX record but hasn’t locked down the connector, an attacker can deliver mail straight to the tenant’s *.mail.protection.outlook.com endpoint — bypassing the filter and arriving with no authentication warning, even when the spoofed domain has valid SPF, DKIM and DMARC.

Does Ghost-Sender mean SPF, DKIM and DMARC are broken? — no, they’re skipped, not defeated

No. Those standards still work as designed — they verify that mail leaving a domain is authorized. Ghost-Sender sidesteps them on the receiving side: the message is injected directly into the Exchange Online tenant, so the inbound checks that would normally flag a forgery never get the chance to act on it. The protections aren’t defeated cryptographically; they’re skipped.

Is my own inbox affected? — only Exchange Online tenants with an open external-MX connector

Only if your organization uses Microsoft Exchange Online with an external MX record (common when a third-party security gateway sits in front of Microsoft 365) and hasn’t applied the connector or mail-flow-rule mitigations. InfoGuard found that under 50% of affected environments had mitigations in place, and over 20% of the Exchange Online domains it scanned in bug-bounty scope appeared vulnerable. Personal Outlook.com and Gmail accounts are not the target of this specific technique.

What has Microsoft said about it? — “a known architectural limitation,” case reopened June 10

Microsoft initially told InfoGuard the report was “not a vulnerability,” then — per the researchers’ timeline — acknowledged an active spoofing campaign and briefly deployed and reverted a mitigation in late April 2026. On May 29, 2026 it classified the issue as “a known architectural limitation” rather than a product vulnerability. After the public write-up, Microsoft’s Security Response Center reopened the case on June 10, 2026.

How can I tell if an email is spoofed? — you often can’t from the sender, so verify out of band

You often can’t from the sender name alone — that’s the whole point of this technique. Treat any message that asks for money, credentials, gift cards or urgent action as suspect regardless of who it appears to be from. Verify through a second channel (call the person, check the vendor’s official portal), watch for the “External” sender tag where your admin has enabled it, and never act on an invoice or password reset purely because the From line looks right.

What should an admin do to fix it? — lock the inbound connector and quarantine header-less mail

InfoGuard and follow-up coverage point to two mitigations: configure a Partner Organization inbound connector that restricts accepted mail to your filtering provider’s IP ranges or certificate, and add a high-priority mail-flow rule that quarantines inbound messages which don’t carry the internal-authentication header your tenant expects. Both close the direct-to-Microsoft injection path that Ghost-Sender relies on.

Sources