Echospoofing Is Back - And It's Even Easier For Attackers To Reach Inboxes
Symantec, June 30,2025
For years, most people in the IT industry had confidence in Microsoft's ability to strictly control mail flow via Office 365 (these days known officially as Microsoft 365).
In other words, they were confident Microsoft had made it impossible for one email customer to impersonate another.
EchoSpoofing, first revealed in 2024, exploited Office 365 mail flows to send spoofed emails that passed SPF and DKIM checks despite being fraudulent.
Attackers used hybrid connectors and on-premises servers to bypass Microsoft's authentication measures, delivering spoofed emails via their own tenants.
A new EchoSpoofing variant has since emerged, leveraging third-party email hygiene providers to increase the authenticity and delivery success of spoofed messages.
To mitigate risk of successful attacks, you should enforce strict SPF, DKIM and DMARC policies, avoid high-risk Microsoft IP ranges and use advanced data protection rules with your hosted email security service.