![](/static/253f0d9/assets/icons/icon-96x96.png)
![](https://sh.itjust.works/pictrs/image/c38fd5ff-821e-45c9-b2ee-957d0321d2e2.webp)
It says in the article that this won’t apply to org member accounts yet, but I wonder how it’ll work eventually. Member accounts created via account factory don’t even have a password, so you have to go through email account recovery to set one and then set up MFA. If this only applies to root users with passwords, that’s fine, otherwise I hope account factory will get a way to set up PW/MFA on a generated root user.
Sounds like it’s something client side or specific to Microsoft’s o365/outlook.com servers. Could be the exploit bypasses header verdicts for SPF/dkim/dmarc