People,
I need some guidance and explanation for the Exchange Online MX record email relay.
My company is using EOP, hence the MX record is like the below:
company-com.mail.protection.outlook.com
domain1-com.mail.protection.outlook.com
domain2-net.mail.protection.outlook.com
...
When I am at the internet cafe and on the outside network, I can perform send email relay to *@mathieu.company .com, *@domain1.com and domain2.net from random.address@whatever .com using simple scripting and any method which can take SMTP anonymously.
All of the inbound email relays using the above MX records are successful and NOT quarantined nor rejected.
Is this the default behaviour or something must be done to secure this loophole?
I look forward to your reply.