Avatar of rpmahony
Flag for United States of America asked on

Outlook For Mac 2011 Spoof From Address

I discovered something disconcerting after one of those "Oops" moments.  UserA was replying to an email and accidentally changed the From field to UserB before clicking Send.  A funny thing happened...  the message was sent, apparently from UserB.  The problem?  UserA does NOT have Send as or full access to UserB's mailbox, only read access to the calendar folder (which is why Outlook for Mac decided to put the name in the drop-down list for the From field, apparently).  When I look at the message header, here's what I see:

From: User Bravo (userb@domain.com)
Sender: User Alpha (usera@domain.com)

What the ....?  So Outlook for Mac will allow the message to be sent with a "spoofed" sender in the From field and Exchange 2010 will deliver it?!

Has anyone encountered this obvious flaw and is there a fix that I'm missing?  My Google Fu is weak today as I can't figure out the right search terms to find this one.

Thanks in advance.
OutlookExchangeMac OS X

Avatar of undefined
Last Comment

8/22/2022 - Mon
Guy Lidbetter

I am assuming if they have calendar management they may also have "Send on Behalf of" rights...

Outlook for Mac does not decide whether a mail can be sent or not, that's exchange's job. If UserA is not allowed to send, they would get an NDR once the mail was picked up in the queue. Have another  look at the mailbox permissions again and make sure that "Send on Behalf of" isn't set.



Send on behalf is blank in EMC for UserB.  I tested with my account as UserC and UserD and was also able to send the message.  Again, I don't have access to UserD's mailbox other than read-only on the Calendar.  I checked Send on behalf and UserD has no one configured.  I'm almost certain neither UserB nor UserD has any delegates setup (because neither of them asked me how to configure delegates).  I'm stumped thus far...

Thanks for the input, Guy.
Guy Lidbetter

No problems :-)

Run "get-mailboxpermission UserB" and see if there are any odd accounts or groups listed with access rights in there.
Your help has saved me hundreds of hours of internet surfing.

Ah.  Could this be the culprit?

RunspaceId      : 8e9a5bdb-d572-4738-95be-b428a1988f4e
AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny            : False
InheritanceType : All
User            : DOMAIN\Domain Admins
Identity        : domain.local/Company/User Bravo
IsInherited     : True
IsValid         : True
ObjectState     : Unchanged

Both UserA and myself were members of Domain Admins.  I have removed UserA from the group and will test in a few.  Is the above a default permission with Ex2010?  Is it necessary when all of the Exchange security groups are assigned similar permissions as well?  I don't recall adding this setting but my predecessor certainly may have...
Guy Lidbetter

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

The calendar read permission was set using PowerShell, granting everyone read-only access to everyone else's calendar.  Not exactly a delegation, but would that also conform to the above?  What a wacky hierarchy IMO.

Removing UserA from the Domain Admins did indeed deny access to send as or on behalf.  After removing group membership, an attempt to change the From field resulted in Outlook throwing an "Access denied" error.

Thanks for the assist, Guy.  And thanks again EE!
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.