Exchange 365 single customer, anyone can send unauthenticated email from their accounts

Question

Exchange 365 single customer, anyone can send unauthenticated email from their accounts

Max 0

Hi everyone,

I've got a customer account, and if you know any of their email addresses, you can send, from their server, anonymously over port 25.

They have no connectors setup that would cause this. Even though I can't do this anywhere else, I also disabled DirectSend and enabled SmtpClientAuthenticationDisabled, but these emails still can go through.

I've got through all settings in ogranizationconfig and transportconfig, nothing looks off.

Anyone have any ideas?

Durachdan,

Max

2 answers

Your answer

Answer 1

AlexDN 1,855 Microsoft External Staff Moderator

Hi @Max
Thank you for posting your question in the Microsoft Q&A forum
To better understand what’s happening, could you please check:

Are emails coming from inside or outside the company?
Is this happening with all addresses or just a few?
Any devices or apps still using port 25?
Have you checked SPF records for open IP ranges?
Any old connectors or rules that might allow relay?

In the meantime, I recommend verifying that the tenant-level Reject Direct Send setting is enabled, as this explicitly blocks unauthenticated direct send traffic to Exchange Online. You can check this setting by running the following PowerShell commands:

Connect-ExchangeOnlineGet-OrganizationConfig | Format-List RejectDirectSend

If RejectDirectSend is set to False or not configured, enable it using:

Set-OrganizationConfig -RejectDirectSend $true

Besides, please review your SPF, DKIM, and DMARC DNS settings to ensure proper email authentication policies are in place, and audit any legacy devices or applications that might be using SMTP AUTH without proper authentication.

Note: Please understand that our initial response does not always resolve the issue immediately. However, with your help and more detailed information, we can work together to find a solution.

Your detailed response will help us diagnose and investigate the issue more efficiently. If I misunderstood what you’re looking for, feel free to let me know or share a screenshot. I’d be happy to help further!

Thank you for your cooperation. I'm looking forward for your reply.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Max 0 Reputation points

2025-07-23T18:49:05.1833333+00:00

Thanks for the response!

Are emails coming from inside or outside the company?:

So, the emails, which are sent from the domain, ie constoso.com, can be sent internally or externally. Just to show a script that allows me from any remote location to send an email on their behalf:

$sendMailMessageSplat = @{From = 'Insert Hacker Name Here ******@contoso.com';To = '******@notcontoso.com';Subject = 'Email with no authentication';Body = "Imagine not knowing this was fake";Priority = 'High';DeliveryNotificationOption = 'OnSuccess', 'OnFailure';SmtpServer = 'contoso-com.mail.protection.outlook.com';Port = '25'}

Send-MailMessage @sendMailMessageSplat

Is this happening with all addresses or just a few?:

An email can be sent from any valid email address in their Exchange Online.

Any devices or apps still using port 25?:

I honestly couldn't imagine what could possibly be using port 25.

Have you checked SPF records for open IP ranges?

I have...repeatedly LOL. It's actually currently got no IP's specifically listed in there at all, just the default o365 spf record.

Any old connectors or rules that might allow relay?

This was actually my first though. There is an old relay on there, but it's from o365 to a partner portal, configured for Bracket Encryption of emails, as it's called. I also temporarily build an internal SMTP relay for them restricted by IP, as that is what I use at a number of locations for scanners and the such to send internal emails. But of course in this situation, these "internal" emails can come from the outside, and be sent to the outside.

DirectSend was actually one of the first things I disabled. I also "enabled" the SmtpClientAuthenticationDisabled, grasping at straws. Not sure what else to check for SMTP Auth, but am currently googling like a madman.

Thanks for the reply,

Max
Max 0 Reputation points

2025-07-23T18:51:01.61+00:00

Also, I ensured SPF, DKIM, and DMARC are all setup correctly. It shows a pass for all three if I have the customer send me an email from one of their accounts. If I send a fake one, it still goes through, but shows all 3 failed. I've even setup an antiphishing>antispoofing rule. But of course, this isn't spoofing, this is literally the actual microsoft email server allowing anyone to send from any mailbox over port 25.

Answer 2

Hi @Max
Thanks for the update.

Could you check:

What public IP address is used when sending via the script? Is it listed in any Inbound Connector or allowlist?
Is the domain contoso.com listed as an accepted domain in the tenant?

In the meantime, I recommend:

Reviewing inbound connectors
Run the following to check if any connector is allowing unauthenticated traffic:
Get-InboundConnector | Format-List Name,ConnectorType,SenderIPAddresses,Enabled If the IP used in your test is listed, that could explain the relay behavior.
Checking accepted domains
If contoso.com is an accepted domain, Exchange Online may allow mail from it under certain conditions. You can verify with:
Get-AcceptedDomain
Auditing message trace logs
Use message trace to confirm how these messages are processed and whether they’re being accepted due to connector or domain trust.
Restricting Port 25 traffic at Network level
If possible, block port 25 traffic from external sources at the firewall or perimeter level to prevent unauthenticated relay attempts.
Enabling Enhanced filtering for connectors
This helps ensure that mail from external sources is properly identified and filtered, especially if connectors are involved.

Note: Please understand that our initial response does not always resolve the issue immediately. However, with your help and more detailed information, we can work together to find a solution.

Your detailed response will help us diagnose and investigate the issue more efficiently. If I misunderstood what you’re looking for, feel free to let me know or share a screenshot. I’d be happy to help further!

Thank you for your cooperation. I'm looking forward for your reply.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Max 0 Reputation points

2025-07-30T00:46:37.1866667+00:00

So, the smtp server being sent to in the script is setup like this:

<companyname>-com.mail.protection.outlook.com';Port = '25'

Only one connector is in place for a vendor, and it just send emails from specific users internally to an outbound email encryption service. So outbound only. Was definitely the first thing I looked for. I am half convinced there is an invisible one hidden somewhere, as the only way I know of to send anonymous emails over 25 INTERNALLY even, is to use a connector SMTP relay.

Just to reply to the recommendations numbered wise:

Only one connector, and it is to filter emails from specific users to an external party. So no joy there.

This I will definitely check tomorrow when I'm back in the office!

There unfortunately is no message trace for these emails.

Well, the port 25 being blocked, I believe would have to be done at Microsoft's level. Literally, anyone on the internet can send an email from this domain right now. Very scary.

I am not sure if this is valid with the information given to 1, but I'll definitely look into this. Grasping at straws at this point.

Thanks again very much for getting back with me. I'll post tomorrow about item 2.
Max 0 Reputation points

2025-08-04T15:58:38.3233333+00:00

Sorry for the delay on item 2. I did the accepteddomains command, and it just came back with the domain itself, and onmicrosoft, and mail.onmicrosoft for them.

Thanks again,

Max

Share via

Exchange 365 single customer, anyone can send unauthenticated email from their accounts

2 answers

Your answer