On Thu, 10 May 2018 13:49:15 +0000 (UTC) Pedro David Marco wrote: > > David Jones wrote:>It's not only compromised well-established > accounts. Based on the odd > >domain names I have seen, I am pretty sure that Microsoft allows > >trials of O365 so spammers are signing up and blasting out > >junk/phishing emails until they are discovered. These spammers can > >spoof anyone on O365 like toysrus.com and the SPF checks will pass. > > > I totally agree with David, i have seen trial periods of 45 days for > O365, then spoofingany other O365 customer is trivial with SPF > totally pointless.
But have you actually tried it? I had a concern about travelodge.co.uk being whitelisted when its SPF includes gmail, but I tried spoofing it through smtp.gmail.com and it didn't work. Microsoft has a list of domains it hosts and a list of hosted domains (and/or its own addresses) tied to each account. Given how much reliance MS place on DMARC's preventing spoofing, and how easy it would be for them to prevent one user spoofing another's domain on submission, I'd be very surprised if they allow it. Paul Stead claims to have seen it, but it's important to positively identify it as spoofing and not hacking.
