Ghost (Sender) In the Machine
Email is ubiquitous as a form of communication. And as such has several layers of built in filters and protections for secure delivery. But what happens when those filters miss something potentially harmful? Ghost-Sender, the newest wave of email spoofing that is able to send messages in bulk with the high potential for phishing, accomplishes itself in just that way. It bypasses the default protections that would otherwise mark it as spam or simply fail to deliver it.
Under normal circumstances, there are several markers for legitimate messages being sent, either from an external source or an internal network. Sender Policy Framework (SPF) is a catalog of domains from which emails are sent, like an employee directory. DomainKeys Identified Mail (DKIM) works like a digital signature. Domain-based Message Authentication Reporting and Conformance (DMARC) is the set of instructions upon receiving an email if the first two fail. All three work in concert to authenticate the sender, and can have a variety of settings that most people probably don’t even think about. A Mail Exchanger (MX) record specifies the server that receives an email, checking it against its DNS. Ghost-Sender bypasses all of them in their default configurations, delivering the message without any warning to the recipient that it’s spoofed.
Currently it’s being seen in Exchange Online, the cloud based platform for Outlook. The potential for exploitation is high, with everything from fake invoices to phishing campaigns to internal spoofing of executive addresses or impersonation of connected networked accounts – complete with accurately rendered icons – being among the ways it could be used. Given the nature of online culture, I can see it being leveraged for harassment campaigns and trolling as well.
Microsoft is aware of this problem, evidently. In April a mitigation attempt was rolled out for internal spoofing, but it was rolled back just days later. As of the end of May, the company classified the issue as a ‘known architectural limitation’ rather than a product vulnerability, and no platform-level fix has been issued, according to Cyber Press. Meanwhile, it’s being abused in the wild, with little news to even warn users about it. In my research into the topic this morning, I found a link to a YouTube tutorial on how to use it to send bulk emails just blatantly in the open. That said, both Cyber Press and InfoGuard (who discovered it; their article is the first link) have suggestions on how to mitigate and/or prevent these spoofed emails from clogging one’s inbox.
There are two suggestions that have been proven to block Ghost-Sender: deploying a Partner Organization inbound connector with a wildcard domain match and IP or certificate-based sender restriction and creating a priority-0 mail flow rule that quarantines all inbound mail not originating from approved IP ranges or lacking the ‘X-MS-Exchange-Organization-AuthAs: Internal’ header. InfoGuard also suggests MX record pointing to Exchange Online Protection, which leads to all inbound messages traversing this filter. This suggestion is not completely foolproof, but further testing of it has shown improvement.
Microsoft itself has some contradictory documentation on which settings should be used to prevent this type of incursion. Some best practice advice says that the MX record pointing is enough, while others warn that utilizing this configuration alone might still carry risk. Frankly, that tracks considering Microsoft has no intention of fixing this vulnerability, putting the onus on the user to configure their own account, regardless of their understanding of how it works. But that’s why your friendly neighborhood WISP is here to educate and help. InfoGuard has also put together a free testing site to check to see if your account or network is vulnerable (found here).
Posted, 6/11/26







