Back

Microsoft Exchange 'Ghost-Sender' Flaw Enables Widespread Email Spoofing

Severity: High (Score: 69.8)

Sources: Darkreading, Gbhackers

Published: 2026-06-09 · Updated: 2026-06-10

Keywords: microsoft, exchange, email, flaw, ghost-sender, online, spoofing

Severity indicators: flaw

Summary

A newly identified vulnerability in Microsoft Exchange, termed 'Ghost-Sender', allows attackers to spoof any email address, bypassing standard email authentication controls. This flaw affects organizations using Exchange Online or hybrid configurations with third-party mail servers, enabling forged messages to be delivered directly to users' inboxes. Swiss cybersecurity firm InfoGuard reported that this misconfiguration is widespread, with fewer than half of affected organizations applying mitigations. Attackers can impersonate internal and external email addresses, raising the risk of phishing and fraud. Microsoft has acknowledged the issue, with indications that it is being actively exploited. Mitigations include setting up partner organization connectors or creating specific mail flow rules. InfoGuard has also developed a testing tool to help organizations identify vulnerabilities in their configurations. Key Points: • The 'Ghost-Sender' flaw allows email spoofing from any address in Microsoft Exchange environments. • Less than 50% of organizations with vulnerable configurations have applied mitigations. • Mitigations involve setting up connectors or mail flow rules to prevent spoofing.

Detailed Analysis

**Impact** Organizations using Microsoft Exchange Online or on-premises in hybrid mode with third-party mail servers or spam filters as their MX records are affected. The flaw enables attackers to spoof any email address, including internal users, bypassing SPF, DKIM, and DMARC protections, leading to potential phishing, fraud, and business email compromise. The issue is widespread, with fewer than half of vulnerable organizations having applied mitigations. No specific sectors or geographies were detailed in the sources. **Technical Details** The vulnerability arises from misconfigurations in Exchange environments using external MX records, allowing attackers to send spoofed emails that appear legitimate, including internal sender profiles. The attack bypasses standard email authentication and filtering, and Microsoft’s configuration analyzer does not detect the issue. No CVE identifiers or malware/tool names were provided. The flaw affects the delivery stage of the kill chain by enabling direct inbox delivery of forged messages. **Recommended Response** Organizations should implement either a partner organization connector enforcing IP or certificate validation or create mail flow rules quarantining emails lacking proper internal authentication headers and originating from unexpected IPs. Disabling the Direct Send feature is advised to prevent internal spoofing. Use InfoGuard’s testing tool to verify mitigation effectiveness. Monitoring for suspicious email activity and spoofing attempts is recommended where mitigations are not yet applied.

Source articles (2)

  • Ghost — Gbhackers · 2026-06-09
    A newly disclosed “Ghost-Sender” flaw is exposing Microsoft Exchange Online environments to large-scale email spoofing attacks, allowing threat actors to bypass standard email authentication controls…
  • Microsoft Exchange Flaw Lets Attackers Spoof Any Email Address — Darkreading · 2026-06-09
    "Ghost-Sender" uses Exchange Online or on-premises in hybrid mode with a third-party mail server or spam filter to achieve this level of spoofing. A weakness in certain configurations of Microsoft Exc…

Timeline

  • 2026-06-09 — Ghost-Sender vulnerability disclosed: InfoGuard published research revealing a flaw in Microsoft Exchange that allows email spoofing, affecting hybrid and cloud deployments.
  • 2026-06-09 — Active exploitation reported: Microsoft support indicated that the Ghost-Sender issue or a related vulnerability is being actively exploited in the wild.
  • 2026-06-09 — Mitigation recommendations provided: Organizations are advised to implement partner organization connectors or mail flow rules to mitigate the spoofing risk.

Related entities

  • Phishing (Attack Type)
  • CWE-287 - Improper Authentication (Cwe)
  • spoofing.mx (Domain)
  • T1566 - Phishing (Mitre Attack)
  • Microsoft Exchange (Platform)
  • Microsoft Exchange Online (Platform)
  • Ghost-Sender (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed