![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 9%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Exchange Online
A cloud-based service included in Microsoft 365, delivering scalable messaging and collaboration features with simplified management and automatic updates.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 84%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHN%3C/text%3E%3C/svg%3E)
Since this is a public platform, I’ve moved the detailed information to a private message to avoid exposing any personal or organizational information. Please refer to the private message for those details. Kindly ensure that you hide any personal or organizational information the next time you post an error or other details to protect personal data.
Hi DG
Based on the full email message headers you provided, the email was sent through Microsoft 365 / Exchange Online Protection infrastructure with detail:
- Sending server and IP address: I will also send you via private message.
- Service owner: Microsoft Exchange Online Protection
- Datacenter location: Sydney, Australia (Microsoft Azure - Australia East region)
- SPF and DMARC checks passed, it means the sender was authorized to send mail on behalf of the domain.
- The spam confidence level was very low (SCL 1).
Microsoft 365 masks the sender’s personal device IP by design, so the absence of a user IP is expected and does not indicate compromise. According to headers, the email appears to have been sent via Microsoft’s mail system.
From a header‑analysis perspective alone, the message appears to have been sent through legitimate Microsoft infrastructure, but only the tenant owner or Microsoft Support can perform a full security investigation.
If there are ongoing concerns about a possible account compromise, the appropriate next step would be for the organization’s Microsoft 365 administrator to:
- Review Azure AD / Entra ID sign‑in logs
- Verify MFA enforcement
- Reset credentials if required
- Raise a support ticket directly with Microsoft
Additionally, I hope you understand that this forum is a peer-to-peer community. While members can share advice and experiences only.
I hope this information helps and if you have any question, please feel free to ask.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.