Vulnerability in My Office 365

Occasional Contributor

Hi there 


I got an email from one of the security researcher saying that their is a big vulnerability in our mail server

i observe this when i send a email from through to email (or to any other email account) and after that i check my gmail i received a email from , this is due to Server Security. 


Steps to reproduce:

1) Open this url
2)Type In ''From email'' field or any email of your website.

3) After That, Send to the victim an email like in the ''To'' field.

4) Write other details about what you want and send it to the victim email.
5) Victim will receive an email from


All my SPF, DKIM, DMARC are in place


How do we fix this problem?

3 Replies

Hi @Sumesh1980 


Short answer: This is an issue with email security in general and not a security flaw with Office 365 itself. Check that your DMARC record is set to at least quarantine or reject


Longer answer (sorry for rambling)


This isn't really a security issue with Office 365 in and of itself, but with how email fundamentally works.


The base email protocol's do not have any built in mechanism for authentication - in fact, open relays weren't too uncommon in the early days. In addition, there are some legitimate uses for spoofing email.


That website you posted has no interaction with Office 365 whatsoever - it does not try to log in, relay or have anything to do with Office 365, so there isn't a security vulnerability in that sense. 


That website simply sends out an email saying it is from - it can do that because as mentioned there are no authentication protocols in base email. Anyone could set up their own server to do that.


The problem in this case is that the receiving server - in this case gmail - is accepting the email. I've tested that website to spoof and email from from my O365 address and while it did give a warning that it does not look like the email was legitimate, it still delivered it to my inbox.


So what should happen? Well, the receiving server should get the email and run through SPF, DKIM and DMARC and see if the email passes these tests. Is the sending IP listed in the SPF record? Do the DKIM keys match? What should it do with the email if it fails?


It is up to the configuration of the receiving server on how it will deal with an email with these tests that have failed. While it is excellent that you have set up SPF/DKIM/DMARC, many others have not so lots of organisations do not enforce the checks because they might miss out on legitimate email. SPF/DKIM/DMARC only really work best when everyone is using them.


I just made a quick change on my DMARC record - the policy was set to none but I've changed this to "p=quarantine" and resent the email via that website - now it has gone directly into spam, so it seems that Google is respecting my domains DMARC record instructions. If I want to completely avoid doubt, I could set it to reject but this might interfere with some third-parties, so I would want to double check this before applying


Apologies for the big wall of text - hope this has been useful.



best response confirmed by Sumesh1980 (Occasional Contributor)





That's a very good way to explaining how things work at Office365 server. I will try to set the DMARC policy from none  to "p=quarantine"


Let's see if this gives us a fair warning about the legitimate of the mails 

Hi @Sumesh1980 


Did my advice of changing your DMARC record to "p=quarantine" fix your issue?