TLDR:
Sending email using msmtp via Microsoft 365 I was able to authenticate using [email protected] and send email as [email protected] without issues or triggering any security mechanisms.
So I think I Microsoft f#cked up, again.
I ranted about Outlook before, check it out if you are curious: Am I the crazy one here or is this terrible design?
At work my team got permission to use [email protected] to send notifications from our server we run independently, meaning company IT did an audit and said it’s fine you can use this email for notifications.
I went ahead and installed msmtp on our dev server to try and use Microsoft 365 SMTP to send emails instead potentially triggering spam filters if we just use sendmail or whatever.
I’ve created .msmtprc config:
account default
host smtp.office365.com
port 587
auth on
user [email protected]
password app_password
from [email protected]
tls on
tls_starttls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
Created an alias:
echo "alias sendmail='msmtp -t'" >> ~/.bashrc
And tried sending a test email:
echo "Test email" | sendmail -v [email protected]
It started spewing out a bunch of lines about communication with mail.protection.outlook.com and I immediately went “ow crap, I didn’t specify from address”.
Well it did not matter, it happily accepted and delivered the email from [email protected]
>>> MAIL From:<[email protected]> SIZE=11 [email protected]
250 2.1.0 <[email protected]>... Sender ok
Outlook had no idea email came from inside the organization, it was guessing it might be from a bunch of companies and people named Root on LinkedIn. Basically spoofing the email worked just fine.
I want to try [email protected] in from field and see what happens but IT told me to leave it alone. I want to try a different domain that is not a subdomain of our company. Do we have some Microsoft365 admins in the crowd, can someone try? If it works, technically any user can impersonate any other user and you can get a bounty for reporting it maybe?