The bug, according to Kokorin, only works when sending the email to Outlook accounts.
Sounds like it’s something client side or specific to Microsoft’s o365/outlook.com servers. Could be the exploit bypasses header verdicts for SPF/dkim/dmarc
It says in the article that this won’t apply to org member accounts yet, but I wonder how it’ll work eventually. Member accounts created via account factory don’t even have a password, so you have to go through email account recovery to set one and then set up MFA. If this only applies to root users with passwords, that’s fine, otherwise I hope account factory will get a way to set up PW/MFA on a generated root user.
Main character