Below is an example of the security problems with Outlook.com.
The message is accepted from unauthenticated SMTP
SPF/DKIM/DMARC tests are performed on the message and documented with multiple authentication result headers. The headers confirm that the message was accepted without authentication.
The message is processed as if it was valid, and then a signature is added for yeshimconsulting.onmicrosoft.com. (If the domain had the correct CNAME entries configured, it would have received a signature for yeshimconsulting.com)
The message leaves Outlook.com with SPF Pass, and could have left with DMARC Pass as well.
The body of this message had a fraudulent link that requested review on an internal policy document.
Unfortunately, I have many legitimate correspondents who send messages that depend on this security hole. I could add full-header parsing logic so that I can detect this problem, then create a policy table with allow rules for the legitimate senders. I am reluctant to do that because my incoming filter process is taking an unacceptable amount of time to process each message already, but it may be necessary.
I have filed an abuse report with
abuse@outlook.com, but they never acknowledge the submission. I am probably wasting my time, especially since they have clients who depend on the security hole.
I note that Microsoft Forefront checked the message for spam, but found nothing wrong, as usual.
FYI. Very frustrated.
Message Headers
Authentication-Results: smtp.<redacted>.com; arc=pass
Received: from SN4PR2101CU001.outbound.protection.outlook.com (mail-southcentralusazon11022099.outbound.protection.outlook.com [40.93.195.99])
by <redacted>.com
with SMTP (version=TLS\Tls12 cipher=Aes256 bits=256);
Tue, 23 Sep 2025 11:59:01 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
b=HmBubS0WzTbyO3UWt7ueOpABhX2UFQ8NX2rNx7rQVJNbE8WPM04SJ1+OvdXQ987wH0nnouLmyG+z+vTekZtgfdHH0KAB99nLvWUmLxiVe1bajAjt9v08lyV/ZRZ2woRPTXtySS9PI5a7L3SCLcTFJ+0vNWaBLYj0SNCqdvLKzI6stxarh4chDW9BxzjWFGvkuR9cMZd3ZcfqU+RygozhfX03PNCKtvlQ6p15gW5/O61HjhdLtxKj3emY3QHO5K10izNjEE2V33Gw7xl96Q/L4v+UBWxkgo8uRc+/xz4bC6V7cOpx9W0/5D/71Rwd+uP3UFwRE6AJTgqbvsyyzKVdFg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector10001;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=P/aLBHSm1ZdroTvLOQFBuM5um14DEQQ/RkJHuYeiioM=;
b=bt7Ks2XIoKEyaBlwN9/WWKiqfIlxSJvKdQ1KgrOzmEMYsN5cxBIntiDM7aAKwvHm3BVN5l0PgWjhNI6VUbneHbQ+XJzg3us6VeMLSmRE0474XTVjWpaNRvbgnWOaHnBeG6JVmscXUmoKbXgrc69uubfqkRSpsvgxp/OHrp2ZbFK0Nequt3wybJYDh1UbxmdJr2BBQe0D3pF2Bs9NZYaHxxilMWvO7/GrvF7AFtpjCA8FhZeOb8M5NvH89VN087nkmektWyeYZ7NiT0dfhEUOHmma/7Q+H36lN9uDxcO0sddeLdeTAYgBnla19Q/cXY12sg55kfF+HLSr0Aj57klqNw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=fail (sender ip is
103.125.219.144) smtp.rcpttodomain=bayviewphysicians.com
smtp.mailfrom=yes-himconsulting.com; dmarc=fail (p=none sp=none pct=100)
action=none header.from=yes-himconsulting.com; dkim=none (message not
signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=yeshimconsulting.onmicrosoft.com;
s=selector2-yeshimconsulting-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=P/aLBHSm1ZdroTvLOQFBuM5um14DEQQ/RkJHuYeiioM=;
b=oFZDtau5Ml3gUwt8matzaY+iI3QMu+kBWD6Q2+gJQfeNcACNr9qDOZBec1Jw7Ggg3hOXrxsGjLgFjhrvMqD/QnlrYLep+WMW3qijRlRRBdyNE0o8Ad6tzp+NaR5Cr42uw4C8ibwUis6ETXMuffsN9Mpc9AGQetMk5lkKIudnhzo=
Received: from DM6PR06CA0042.namprd06.prod.outlook.com (2603:10b6:5:54::19) by
SJ2PR22MB3965.namprd22.prod.outlook.com (2603:10b6:a03:501::22) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9137.19; Tue, 23 Sep
2025 15:58:57 +0000
Received: from CY4PEPF0000EE3D.namprd03.prod.outlook.com
(2603:10b6:5:54:cafe::49) by DM6PR06CA0042.outlook.office365.com
(2603:10b6:5:54::19) with Microsoft SMTP Server (version=TLS1_3,
cipher=TLS_AES_256_GCM_SHA384) id 15.20.9137.20 via Frontend Transport; Tue,
23 Sep 2025 15:58:57 +0000
X-MS-Exchange-Authentication-Results: spf=fail (sender IP is 103.125.219.144)
smtp.mailfrom=yes-himconsulting.com; dkim=none (message not signed)
header.d=none;dmarc=fail action=none header.from=yes-himconsulting.com;
Received-SPF: Fail (protection.outlook.com: domain of yes-himconsulting.com
does not designate 103.125.219.144 as permitted sender)
receiver=protection.outlook.com; client-ip=103.125.219.144;
helo=103.125.219.144;
Received: from 103.125.219.144 (103.125.219.144) by
CY4PEPF0000EE3D.mail.protection.outlook.com (10.167.242.15) with Microsoft
SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9137.12
via Frontend Transport; Tue, 23 Sep 2025 15:58:56 +0000
Date: Tue, 23 Sep 2025 15:58:55 +0000
To: <redacted>
Subject: <redacted company name> Revised Q4 Handbook 23 Sep, 2025 8AF4-SFRZ1F-VSH1
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="===============2994925143539375055=="
Content-Transfer-Encoding: 8bit
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CY4PEPF0000EE3D:EE_|SJ2PR22MB3965:EE_
X-MS-Office365-Filtering-Correlation-Id: a37f375b-fdd0-489e-db10-08ddfaba1a80
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|82310400026|34070700014|36860700013|1800799024|110011033|8096899003;
X-Forefront-Antispam-Report: CIP:103.125.219.144;CTRY:JP;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:103.125.219.144;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(376014)(82310400026)(34070700014)(36860700013)(1800799024)(110011033)(8096899003);DIR:OUT;SFP:1102;
X-OriginatorOrg: yes-himconsulting.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Sep 2025 15:58:56.6924 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: a37f375b-fdd0-489e-db10-08ddfaba1a80
X-MS-Exchange-CrossTenant-Id: 63d579c8-4752-4690-9aba-5b5db313fbf0
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=63d579c8-4752-4690-9aba-5b5db313fbf0;Ip=[103.125.219.144];Helo=[103.125.219.144]
X-MS-Exchange-CrossTenant-AuthSource: CY4PEPF0000EE3D.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ2PR22MB3965