Hi Rodolfo, This does sound very similar to the EchoSpoofing issue reported by Proofpoint last year.
https://www.proofpoint.com/us/blog/threat-insight/scammer-abuses-microsoft-365-tenants-relaying-through-proofpoint-servers-deliver https://guard.io/labs/echospoofing-a-massive-phishing-campaign-exploiting-proofpoints-email-protection-to-dispatch Graeme From: mailop <[email protected]> On Behalf Of Rodolfo Saccani via mailop Sent: Friday, October 17, 2025 9:54 PM To: [email protected] Subject: [mailop] Spoofed malicious traffic from M365 We are detecting hundreds of thousands of malicious messages originated by M365 using this schema: * The attacker creates a hybrid tenant on 365 * The attacker configures the tenant to use the outbound gateway of the victim (a 365 customer who does not cooperate in validating the outbound gateway) * The attacker sends fake bounces (empty envfrom) spoofing the header-from domain of the victim My personal assumption has always been that this kind of spoofing of another Microsoft customer's domain was not possible on 365. If someone from Microsoft thinks this is worth investigating, I can provide email samples of contacted directly. Bye Rodolfo -- [Libraesva] Rodolfo Saccani | CTO Website: www.libraesva.com<https://www.libraesva.com> | Telephone: +39 0341350601<tel:+390341350601> This message has been checked by Libraesva ESG and is believed to be clean. Email secured by Trustwave advanced threat protection. Learn more at https://trus.tw/mailmarshal This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
