You can read the blog from Security.com here - it's exposed a dangerous twist on an old threat: EchoSpoofing. comprehensive technical breakdown of how EchoSpoofing works, the infrastructure being exploited, and detailed mitigation strategies, we highly recommend reading the full analysis from the security research team:
If your organisation uses Microsoft 365 for email, this affects you.
The attack shows how threat actors can bypass core email authentication mechanisms likeSPF and DKIM while still impersonating trusted domains, including otherMicrosoft 365 tenants. If you're relying solely on default Microsoft email protections, this development should serve as a wake-up call.
What's Happening?
Attackers are:
- Creating maliclious Microsoft 265 tenants
- Misusing hybrid connectors
- Relaying spoofed emails through Microsoft infrastructure
- Bypassing SPF and DKIM checks while impersonating legit domains
What's even worse is that these spoofed emails can appear 100% authenticated and trusted!
Why It Matters
Microsoft tenants can now spoof each other. This means:
- Phising emails can pass all your filters
- Brand trust is undermined
- Default mail flow settings arent safe anymore
Some attackers are even layering on third-party hygine services to further boost credibility and deliverability.
What Should You Do?
If you're an M365 admin or security lead:
- Tighten your DMARC policy. Move from p=none to quarentine or reject
- Lock down mail connectors. Don't allow all Microsoft IP's by default
- Layer in advanced protection. User Defender for Office 365 plus a secure email gateway.
In Summary - The Bottom Line Is This!
The EchoSpoofing threat exploits trusted infrastructure to make malicious mail look legitimate, bypassing many of the security controls organisations have come to rely on. By abusing Microsoft 365's own connectors and relay mechanisms, attackers can send emails that appear to come from legitimate domains, complete with valid SPF, DKIM, and DMARC authentication. This makes detection extraordinarily difficult using traditional email security approaches. This isn't just another phishing campaign - it's a sophisticated case of platform abuse that should concern every organisation using cloud email infrastructure.This isn't just another phishing campaign - it's a sophisticated case of platform abuse that should concern every organisation using cloud email infrastructure.
What This Means For You
If you're running Microsoft 365, now is the time to take action. We recommend immediately reviewing your connector settings, authentication policies, and monitoring configurations. Pay particular attention to any external connectors that might be relaying mail on behalf of your domains, and ensure you have comprehensive logging in place to detect anomalous relay activity.
The resurgence of EchoSpoofing techniques demonstrates that threat actors are constantly evolving their methods to exploit the very systems designed to protect us. As email authentication standards become more widespread, attackers are shifting from breaking these protections to abusing them - a trend we expect to continue.
At Gradian, we're committed to helping organisations stay ahead of emerging threats like these. Our team of world-class specialists can answer questions about securing your email infrastructure or provide assistance in reviewing your Microsoft 365 configuration. We're here to help - so get in touch!
