A vulnerability in multi-tenant hosting allows an authenticated sender to spoof the identity of a shared, hosted domain, thus bypass security measures provided by DMARC (or SPF or DKIM) policies.

Hosted services do not verify the sender of an email against authenticated users, allowing an attacker to spoof the identify of another user's email address.