When you spin up a Microsoft 365 environment to handle email for your corporate or other organization, the system assigns you a default email domain that looks like something.onmicrosoft.com. This subdomain (with your Microsoft environment tenant name in it) is meant as a placeholder until you set up your real domain name for email. It gives admins a test platform to do a bit of email sending to see how things work, and I don't really think it's meant for long term use.
Lots of organizations never actually send with it. But spammers and phishers found a way to exploit this default testing email domain for nefarious purposes. Instead of putting their own domain's reputation at risk, they abuse the onmicrosoft.com subdomain and pump out phishing, spoofing, or spam. That abuse damages the domain's reputation and results in a lot of bad mail floating out int he world signed with onmicrosoft.com addresses.
Microsoft has come up with a fix to limit abusive use of this default domain. Starting in October, tenants using their default onmicrosoft.com domain will be restricted to 100 external recipients per day. That limit applies per organization, not per user, and it will make life much harder for abusers trying to scale up an M365 environment to use it as a spam cannon.
They'll begin with trial accounts and gradually expand throttling over the coming months, with full enforcement across all seat sizes scheduled by June 2026.
Legitimate senders shouldn't be using the default domain anyway. If you're still sending mail from an onmicrosoft.com address, now's the time to switch over to your own branded domain.
Kudos to Microsoft for shrinking a loophole that being exploited by bad guys to do abusive things.
When you spin up a Microsoft 365 environment to handle email for your corporate or other organization, the system assigns you a default email domain that looks like something.onmicrosoft.com. This subdomain (with your Microsoft environment tenant name in it) is meant as a placeholder until you set up your real domain name for email. It gives admins a test platform to do a bit of email sending to see how things work, and I don't really think it's meant for long term use.
Lots of organizations never actually send with it. But spammers and phishers found a way to exploit this default testing email domain for nefarious purposes. Instead of putting their own domain's reputation at risk, they abuse the onmicrosoft.com subdomain and pump out phishing, spoofing, or spam. That abuse damages the domain's reputation and results in a lot of bad mail floating out int he world signed with onmicrosoft.com addresses.
Microsoft has come up with a fix to limit abusive use of this default domain. Starting in October, tenants using their default onmicrosoft.com domain will be restricted to 100 external recipients per day. That limit applies per organization, not per user, and it will make life much harder for abusers trying to scale up an M365 environment to use it as a spam cannon.
They'll begin with trial accounts and gradually expand throttling over the coming months, with full enforcement across all seat sizes scheduled by June 2026.
Legitimate senders shouldn't be using the default domain anyway. If you're still sending mail from an onmicrosoft.com address, now's the time to switch over to your own branded domain.
Kudos to Microsoft for shrinking a loophole that being exploited by bad guys to do abusive things.
Find the full details and rollout timeline here.
Comments
Post a Comment
Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.