SecureCyber | Security Alert | June 2026
A new email attack campaign is making the rounds, and it is designed specifically to slip past your email filters. The messages involved do not include a valid sender address or a return path, meaning they look like they came from nowhere. That is not an accident. It is the point.
Here is what is happening, why it matters, and what you can do about it today.
Every legitimate email is supposed to include two key pieces of identifying information: a From header (the visible sender address you see in your inbox) and a Return-Path header (a behind-the-scenes address used for bounce handling and email authentication checks).
There are published internet standards that define exactly how these should work. The primary one is called RFC 5322, and it has been the governing standard for email formatting for decades. These standards are not optional suggestions. They are the foundation that spam filters, phishing detectors, and authentication systems like SPF, DKIM, and DMARC are built on.
Attackers have figured out that if they send emails that deliberately omit or break these headers, some security systems get confused. Instead of blocking the message outright, certain filters skip it, mishandle it, or let it pass through because the message does not match patterns they were trained to catch.
The result: a malicious email lands in your employees' inboxes with no visible sender, no tracking address, and no clear origin. Many users will not notice. Some will click.
This campaign is specifically designed to exploit gaps in how Microsoft 365 and Exchange Online process non-standard messages. Because these messages do not follow the normal format, they can be inconsistently handled across security layers, sometimes resulting in delivery that bypasses expected controls.
Microsoft's own documentation acknowledges that anti-spoofing protections in Microsoft 365 focus heavily on the From header field. When that field is missing or malformed, the behavior of those protections can become unpredictable.
This is not a vulnerability in Microsoft 365 in the traditional sense. There is no CVE number to patch. It is a gap between how email standards are written, how attackers craft messages, and how security systems respond to edge cases.
If your organization uses Microsoft 365 for email and you have not taken specific steps to block or quarantine messages missing sender headers, you may be receiving these messages right now. Your employees may already be seeing them.
These types of emails are most commonly used to deliver phishing content, credential harvesting pages, or malicious links. Because they appear to come from nowhere, they can be harder to trace after the fact.
This is not limited to large organizations. Small local governments, utilities, credit unions, and businesses of every size use Microsoft 365 and are equally exposed.
If SecureCyber manages your FortiMail or email security environment, our team is already evaluating this threat and taking appropriate steps. We monitor threat intelligence sources and implement mitigations as new campaigns are identified. If you have questions about your specific configuration, contact your SecureCyber service team directly.
This one requires action on your part. The recommended fix is to create a mail flow rule inside Exchange Online (also called a transport rule) that automatically quarantines or rejects any inbound external email where both of the following are true:
Important note before you apply this rule: Start with quarantine or test mode first. Some automated systems, such as equipment alerts, monitoring platforms, or scheduling tools, may send messages that lack standard sender headers. You do not want to accidentally block those. Run the rule in monitoring mode for a few days, review what gets caught, and then tighten it once you are confident.
Here is the high-level rule logic to give your IT team or Microsoft 365 administrator:
If you are unsure how to build this rule, need help reviewing what is currently being caught, or want a second set of eyes on your email security configuration, SecureCyber can help.
Train your employees to be suspicious of any email that:
When in doubt, delete it. If it was legitimate, the sender will follow up through another channel.
The following are publicly available, validated sources related to this issue:
If you are unsure whether your environment is protected, want help building the Exchange Online rule, or would like SecureCyber to review your email security posture, reach out.