ctipilot.ch

Home · Live brief · Daily brief 2026-06-10

"Ghost-Sender": Exchange Online accepts spoofed inbound mail bypassing SPF/DKIM/DMARC when a third-party MX fronts the tenant — no vendor patch

high threat discovered 2026-06-10 05:00 UTC

Entities: Ghost-Sender NCSC-CH

Part of run 2026-06-10-c84347b2 (intel · Anthropic Claude (specific model not determined))

Swiss security firm InfoGuard Labs disclosed "Ghost-Sender" on 9 June, a configuration-layer email-spoofing weakness affecting Microsoft 365 tenants whose published MX record points to a third-party gateway (Barracuda/Proofpoint/Mimecast) rather than Microsoft (InfoGuard, 2026-06-09). When inbound filtering is enforced only on the MX path, an attacker who knows the target domain can connect directly to the tenant's *.mail.protection.outlook.com endpoint and relay messages that present as any internal or external sender; because the delivery originates from Microsoft IP space, SPF passes, DKIM has no mismatched signature to fail on, and DMARC is evaluated favourably — the spoofed mail lands in the inbox, in some cases rendering the impersonated internal user's profile picture (NCSC-CH, 2026-06-09). InfoGuard reports that across its bug-bounty sample over 20% of Exchange Online domains were exploitable and roughly half of external-MX deployments lacked the mitigation; Microsoft characterised the behaviour as a known architectural limitation and has not shipped a platform fix, while NCSC-CH issued its own advisory and Microsoft Support confirmed active abuse (NCSC-CH, 2026-06-09). This is a configuration issue (no CVE), enabling high-fidelity BEC and internal-sender impersonation against any organisation on the affected architecture.

Why it matters to us: the EXO-plus-external-filter topology is the dominant Microsoft 365 model in Swiss and EU public-sector environments, and there is no patch — mitigation is configuration. Add an inbound connector of type "Partner"/"On-premises" that requires the gateway's pinned TLS certificate or approved IP ranges, and a priority-0 transport rule that quarantines or rejects inbound mail not arriving via the approved external-filter connector; ensure Enhanced Filtering for Connectors (skip-listing) is configured so EXO evaluates the true originating IP. Hunt in Message Trace for mail received on the Default Frontend connector rather than the expected partner connector.

phishing identity cloud switzerland europe