Microsoft Exchange Flaw Lets Attackers Spoof Any Email Address

“Ghost-Sender” uses Exchange Online or on-premises in hybrid mode with a third-party mail server or spam filter to achieve this level of spoofing.