Exchange Online MX Record *.mail.protection.outlook.com security default and hardening best practice?

EnterpriseArchitect 6,061 Reputation points
2022-09-20T04:53:36.893+00:00

People,

I need some guidance and explanation for the Exchange Online MX record email relay.

My company is using EOP, hence the MX record is like the below:

company-com.mail.protection.outlook.com  
domain1-com.mail.protection.outlook.com  
domain2-net.mail.protection.outlook.com  
...  

When I am at the internet cafe and on the outside network, I can perform send email relay to *@mathieu.company .com, *@domain1.com and domain2.net from random.address@whatever .com using simple scripting and any method which can take SMTP anonymously.

All of the inbound email relays using the above MX records are successful and NOT quarantined nor rejected.

Is this the default behaviour or something must be done to secure this loophole?

I look forward to your reply.

Exchange Online
Exchange Online
A Microsoft email and calendaring hosted service.
6,201 questions
Exchange | Exchange Server | Management
Exchange | Hybrid management
0 comments No comments
{count} votes

Accepted answer
  1. Andy David - MVP 158K Reputation points MVP Volunteer Moderator
    2022-09-20T11:51:14.957+00:00

    If you mean you can send to those domains as any address, that is expected and the way SMTP works. If you didnt allow this, you wouldt be able to receive mail from the internet.

    Ensure you have your anti-spam/ anti-phishing setup correctly in EOP/Defender

    https://learn.microsoft.com/en-us/office365/servicedescriptions/exchange-online-protection-service-description/anti-spam-and-anti-malware-protection-eop#customize-anti-spam-policies

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.