Bug oder Feature oder Fehlkonfiguration? Mails werden von beliebigen SMTP Clients via MX Record angenommen

Servus,

wir haben ein Ticket bei Microsoft eröffnet weil uns folgendes aufgefallen ist:

Es ist möglich von einem fremden/externen SMTP E-Mail Client unter Angabe unseres MX Record (myDomain-com.mail.protection.outlook.com) eine E-Mail in unseren ExchangeOnline Tenant zu senden.

Als Absenderadresse können beliebige Werte angegeben werden solange als Domain eine Accepted Domain aus unserem Tenant verwendet wird.

Somit kann z.B. ein fremder dritter eine Mail mit der Absenderadresse unseres Vorstand an einen Mitarbeiter von uns senden und z.B. CEO Fraud betreiben.

Aus unserer Sicht ist das Spoofing und darf so nicht möglich sein.

Getestet haben wir das mit folgenden PowerShell Script von einem externen Laptop:

$smtpServer = "myDomain-com.mail.protection.outlook.com"
$smtpFrom = phishing@myDomain.com
$smtpTo = j.doe@myDomain.com
$messageSubject = "Testmail"
$messageBody = "Testmail"
$message = New-Object system.net.mail.mailmessage
$message.from = $smtpFrom
$message.To.Add($smtpTo)
$message.Subject = $messageSubject
$message.Body = $messageBody
$smtp = New-Object Net.Mail.SmtpClient($smtpServer)
$smtp.Send($message)

Antwort vom MS Support:

Ignoring SPF, DKIM, DMARC, etc., etc. for a minute:

This is essentially how SMTP works. Sending email via the server that is authoritative for the domain you're sending email to does not require authentication. If it did, then everyone in the world would need to authenticate to every mail server in the world in order to send email to anyone.

If I telnet to your email server for the purpose of sending email to you then your server will accept my connection and will accept the email and deliver it to your mailbox. In this scenario I am sending email TO your server for someone who has a mailbox that your server is authoritative for... more specifically I am sending email to someone who has a mailbox and an email domain that your server is authoritative for. This IS NOT relaying.

If I telnet to your server and try to send an email to an email address outside of your organization your server would reject my attempt. In this scenario I am attempting to send email THROUGH our server to someone who has a mailbox/email domain that your server is not authoritative for. This IS relaying.

Creating a send connector for the ip address of your API, your web server, your printer, etc., etc. is a form of "authenticated relaying". In this scenario you are telling your email server that those ip addresses are allowed to send email through that connector to email addresses outside of your organization, which would be any email domain that your server is not authoritative for. There are several "forms" of authenticated relaying, this is just one.

Exchange Online is NOT an open relay, as you rightly discovered.

https://techcommunity.microsoft.com/blog/exchange/office-365-message-attribution/749143#:~:text=FAQ%20%232%20%E2%80%93%20Is%20Office%20365%20an%20open%20relay%3F

Why was the message not rejected despite of failed authentication?

"It is crucial to understand that a failure in CAUTH alone does not directly lead to an email being blocked. Our system employs a holistic evaluation strategy, considering the overall suspicious nature of an email alongside CAUTH outcomes. This method is designed to mitigate the risk of incorrectly blocking legitimate emails from domains that may not strictly adhere to authentication protocols. Such a balanced approach helps in distinguishing genuinely malicious emails from those that simply fail to conform to standard authentication practices."

Email authentication in Microsoft 365 - Microsoft Defender for Office 365 | Microsoft Learn

Verstehen wir jetzt was nicht richtig oder der MS Support?

Danke für Euren Input!

Patrick