> Microsoft confirmed the vulnerabilities (with
severity “Important”, the highest severity assigned to
email spoofing bugs) and awarded us a bug bounty. They
have partially fixed the issues by rejecting spoofed email
messages purporting to be from domains that have a
DMARC policy of REJECT
However, I could still replicate this on an o365 domain, so this attack would still work if attacker has access to an o365 domain.
> Microsoft confirmed the vulnerabilities (with severity “Important”, the highest severity assigned to email spoofing bugs) and awarded us a bug bounty. They have partially fixed the issues by rejecting spoofed email messages purporting to be from domains that have a DMARC policy of REJECT
However, I could still replicate this on an o365 domain, so this attack would still work if attacker has access to an o365 domain.