Microsoft provides some email services for business customers. Advertisement page says «Securely run and grow your business».
Microsoft Office 365 is a good service for phishing attacks.
To use the Office 365 mail service for your domain, you need to configure the MX record pointing to a specific mail relay (separate for each customer).
For example, Tele2 company uses tele2-ru.mail.protection.outlook.com mail server.
> dig tele2.ru MX ;; ANSWER SECTION: tele2.ru. 90 IN MX 0 tele2-ru.mail.protection.outlook.com.
Messages that failed sender check should be rejected according to the SPF:
> dig tele2.ru TXT ;; ANSWER SECTION: tele2.ru. 2394 IN TXT "v=spf1 include:spf.tele2.ru include:spf.protection.outlook.com -all"
However, SPF policy does not work on Microsoft mail relays.
The sender field can be tampered with.
No authentication is needed to send a fake email using such Microsoft relays. Spoofed email will not fall into spam. The OWA interface will not show any warnings and will even load the user’s avatar if it exists.
At the end of 2018 Microsoft can’t configure mail servers.
A year has passed since I reported the bug to Microsoft.