Microsoft Exchange Flaw Lets Attackers Spoof Any Email Address
“Ghost-Sender" is the result of a widespread misconfiguration, according to researchers, and evidence indicates it's being actively abused in the wild.
Office 365 is Microsoft's cloud productivity suite, whose identity, email, and data controls make its vulnerabilities and security advisories consequential.
Search across headline titles and summaries.
Background for this topic.
Office 365 is Microsoft’s cloud-hosted productivity and collaboration service, encompassing Exchange Online email, SharePoint, OneDrive, Teams, and web and desktop Office applications. Because these services store communications and business documents in a shared cloud environment, the tag includes both attacks against the platform and security issues arising from tenant configuration, identity, and connected applications.
Material risks include phishing or stolen credentials leading to account takeover, malicious OAuth applications gaining delegated access, mailbox forwarding rules, and excessive external sharing of files. Effective defenses include phishing-resistant multifactor authentication, conditional-access policies, least-privilege administration, controlled app consent, data-loss prevention, and review of audit and sign-in logs. Security teams must also track Microsoft advisories and client vulnerabilities, preserve cloud evidence for investigations, and apply retention, privacy, and compliance controls appropriate to the data stored in the tenant.
Weekly headline count for the current query.
“Ghost-Sender" is the result of a widespread misconfiguration, according to researchers, and evidence indicates it's being actively abused in the wild.
Microsoft is working to address a widespread service issue affecting the mail flow pipeline for Exchange Online customers across North America and Germany. [...]
Microsoft readies the axe once again for yesterday's security
Microsoft readies the axe once again for yesterday's security Microsoft has warned users still clinging to legacy TLS versions that the end is nigh for TLS 1.0 and 1.1 on POP3 and IMAP4 connections to Exchange Online.…
Microsoft says it will start blocking legacy TLS connections for POP and IMAP email clients in Exchange Online starting in July 2026. [...]
Microsoft is investigating and working to resolve Exchange Online mailbox access issues that have intermittently affected Outlook mobile and macOS users for weeks. [...]
Microsoft is working to address an ongoing service issue that has intermittently prevented some users from accessing their cloud-based Exchange Online mailboxes via Outlook mobile and Mac desktop clients since Thursday. [...]
Microsoft is working to address an ongoing Exchange Online outage that is preventing customers from accessing their mailboxes and calendars. [...]
Microsoft says an Exchange Online issue that mistakenly quarantined legitimate emails last week was triggered by faulty heuristic detection rules designed to block credential phishing campaigns. [...]
Microsoft is investigating an ongoing Exchange Online issue that mistakenly flags legitimate emails as phishing and quarantines them. [...]
Microsoft announced today that the Exchange Web Services (EWS) API for Exchange Online will be shut down in April 2027, after nearly 20 years. [...]
Microsoft is working to fix an Exchange Online service outage that intermittently prevents users from accessing their mailboxes via the Internet Mailbox Access Protocol 4 (IMAP4). [...]
Microsoft said that Office 365 tenants with weak configurations and who don't have strict anti-spoofing protection enabled are especially vulnerable.
Negative feedback sinks Redmond's plan to cap outbound email recipients Microsoft has backed away from planned changes to Exchange Online after customers objected to limits designed to curb outbound email abuse.…
Microsoft announced today that it has canceled plans to impose a daily limit of 2,000 external recipients on Exchange Online bulk email senders. [...]
Microsoft announced on Monday that it will soon block mobile devices running outdated email software from accessing Exchange Online services until they're updated. [...]
Cybersecurity researchers have shed light on a cross-tenant blind spot that allows attackers to bypass Microsoft Defender for Office 365 protections via the guest access feature in Teams
Microsoft is investigating an Exchange Online service outage that is preventing customers from accessing their mailboxes using the classic Outlook desktop client. [...]