Microsoft puts the squeeze on onmicrosoft.com freeloaders
- Reference: 1755869048
- News link: https://www.theregister.co.uk/2025/08/22/microsoft_throttling_onmicrosoft/
- Source link:
Some opt to stick with the onmicrosoft.com domain, and these impending changes could have a severe impact ...
As of October 15, Microsoft has [1]announced that it will begin throttling emails. The limit will be set to 100 external recipients per organization per 24-hour rolling window. From December 1, Microsoft will start rolling out the restrictions across tenants, starting with tenants with fewer than three seats and eventually reaching tenants with more than 10,001 seats by June 2026.
The problem the WIndows maker is trying to deal with is spammers exploiting a newly created tenant and sending out bursts of spam email before the company can intervene. This activity means that the onmicrosoft.com domain can be flagged as suspect or, as Microsoft puts it, "degrades this shared domain's reputation."
The domain onmicrosoft.com (and others like it, such as onmicrosoft.de) is automatically provided when an organization creates a new Microsoft 365 tenant. The plan is that administrators can quickly test out connectivity and create users in the new tenant, for example theregister.onmicrosoft.com.
The expectation is that an organization will then add its own domain going forward. However, some opt to stick with the onmicrosoft.com domain, and these impending changes could have a severe impact. Up until now, there were no limits on these Microsoft Online Email Routing Address (MOERA) domains for delivery.
[2]Microsoft reportedly cuts China's early access to bug disclosures, PoC exploit code
[3]Microsoft continues Control Panel farewell tour
[4]Not again! Microsoft blames config tweak for 365 outage in parts of North America
[5]Microsoft makes MCP in Visual Studio GA but researchers warn of risks
Organizations using a MOERA domain have therefore been given notice that a migration is needed. A custom domain needs to be acquired, non-test emails must only use this custom domain, and, if the tenant's default domain is set to a MOERA domain, it must be changed to the custom domain.
Mailboxes will also need to have their primary SMTP addresses changed to use the custom domain alias. This could cause headaches where changing the primary SMTP address has an impact on the username, necessitating credential updates across devices and applications.
[6]
While Microsoft's stated goal is laudable, the change could ramp up the workload of affected administrators. A number of its products are reaching the end of their support cycles, including many versions of Windows 10, at the same time as the throttling is set to begin. If an organization is still using a MOERA domain, a migration will need to be factored into planning to avoid hitting the limits. ®
Get our [7]Tech Resources
[1] https://techcommunity.microsoft.com/blog/exchange/limiting-onmicrosoft-domain-usage-for-sending-emails/4446167
[2] https://www.theregister.com/2025/08/21/microsoft_cuts_chinas_early_access/
[3] https://www.theregister.com/2025/08/21/microsoft_continues_the_control_panel/
[4] https://www.theregister.com/2025/08/21/microsoft_365_outage/
[5] https://www.theregister.com/2025/08/21/microsoft_makes_mcp_generally_available/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/applications&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aKiUHRQsUo37S8glt1sMJAAAAMc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[7] https://whitepapers.theregister.com/
Re: spam coming from inside
Quite often, before you start, that email is already in at least a few databases because it's been used to create accounts by automated processes. Which accounts depend on what the business wants you to have, and they may include accounts you don't use and didn't know that some system creates for people. I assume you're excluding any spam sent to distribution groups of which you are a member which will get sent to anyone who is added. In my experience, that's most of the stuff new accounts get.
If the data is coming from 365 directly, it's not universal. I've managed a 365 instance for a charity I volunteer with, and none of the addresses I've had have gotten spam until after used on something that is likely to have shared it. This suggests that, if we can rule out all the more likely options, someone probably has more access to your specific tenant than they should. This seems relatively unlikely compared to the other options.
Thank you
I was wondering why so much of the spam filter catch came from onmicrosoft.com.
Surprised that the spammers/scammers/etc have taken until 2025 to realise that this was a loophole that was exploitable.
The early days of Microsoft hosted email go back as far as 2010.
7 days refund
What isn't mentioned in the article is I assume that the spammers are making the most of the 7 day refund thing. Register account, send email, check replies, delete the account, get refund.
Bonus of sending emails from a "trusted" domain. Double bonus it can make your scam look Microsoft related.
spam coming from inside
At the last 2-3 places I've been it seems that as soon as I start working and get an email address I'm getting hit with spam emails. I get spam before I have a chance to sign up for anything.
It must be that spammers are harvesting the list of users at microsoft365 or somewhere. How are they getting it, and is that a sanctioned thing (by Microsoft)?