Microsoft Community Hub - techcommunity.microsoft.com - Aug 20, 2025
We are announcing that all Exchange Online customers who send external email should start switching to custom (aka vanity) domain names.
MOERA domains for email
When a organization creates a new tenant in Microsoft 365, an onmicrosoft.com domain (or similar default domain like onmicrosoft.de) is provided. These MOERA (Microsoft Online Email Routing Address) domains enable immediate connectivity and user creation. Having enabled a quick start and testing of a new tenant, customers are expected to add their own custom domains for better brand representation and control moving forward. Customers who continue using MOERA domains as their “primary domain” may face significant challenges.
Limitations of free ‘onmicrosoft’ shared domains
These “default” domains are useful for testing mail flow but are not suitable for regular messaging. They do not reflect a customer’s brand identity and offer limited administrative control. Moreover, because these domains all share the ‘onmicrosoft’ domain (for example, ‘contoso.onmicrosoft.com’), their reputation is collectively impacted. Despite our efforts to minimize abuse, spammers often exploit newly created tenants to send bursts of spam from ‘.onmicrosoft.com’ addresses before we can intervene. This degrades this shared domain’s reputation, affecting all legitimate users. To ensure brand trust and email deliverability, organizations should establish and use their own custom domains for sending email. Until now, we did not have any limits on use of MOERA domains for email delivery.
Introducing new throttling enforcement
To prevent misuse and help improve deliverability of customer email by encouraging best practices, we are changing our policy. In the future, MOERA domains should only be used for testing purposes, not regular email sending. We will be introducing throttling to limit messages sent from onmicrosoft.com domains to 100 external recipients per organization per 24 hour rolling window. Inbound messages won't be affected. External recipients are counted after the expansion of any of the original recipients. When a sender hits the throttling limit, they will receive NDRs with the code 550 5.7.236 for any attempts to send to external recipients while the tenant is throttled.
Customer actions
Customers will need to take actions depending on their use of their MOERA domain.
Purchase and migrate to a custom domain if not already done.
Ensure only custom domains are used for sending non-test emails.
If your tenant's default domain is a MOERA domain, set the default domain to a custom domain. This can be done in the Microsoft 365 admin center.
Mailboxes will need to have their primary SMTP addresses changed to the custom domain alias. Changing the primary SMTP address will have an impact on the username used to log into accounts so updates may need to be made to any credentials configured to authenticate devices or applications with users’ accounts.
Note: Customers with Federated Domains will have to add a non-Federated custom domain in Microsoft 365 to act as a default domain, as Federated domains cannot play that role. Learn more here: AD FS Overview.
Purchasing a domain
A domain registrar is a company authorized to sell and manage domain names. To purchase a domain, you typically visit a registrar’s website, search for an available domain name, and follow the checkout process to register it in your name. Once purchased, you can manage DNS settings through the registrar’s portal to validate your ownership when adding it to Exchange Online as an accepted domain. Once purchased, you can use the following instructions to add it to your tenant as an accepted domain – documentation.
Adding new aliases to existing mailboxes
To migrate users over to using a new custom domain, admins will need to add aliases to each user account for the new custom domain. These new aliases will need to be set as the Primary SMTP Address on the mailbox so that it is used for sending out emails. Users at organizations who make use of the Sending from Aliases feature will need to ensure that the correct alias is selected when they reply to emails addressed to their MOERA alias.
Known MOERA domain usage scenarios
Besides regular email client sending when a MOERA domain is a primary SMTP address, these are some of the known usage scenarios customers should be aware of:
Sender Rewriting Scheme may use MOERA domains as fallback if it is set as the default domain. Customers will need to change their default domains to avoid this. (Sender Rewriting Scheme (SRS) in Microsoft 365).
Bookings app invites may be configured to send from MOERA domains. Customers will need to ensure Bookings is configured to use their custom domain. (Custom domain support in Shared Bookings).
Notifications from Microsoft should be set up to use a custom domain. (Select the domain to use for email from Microsoft 365 products).
Journaling Reports use the Microsoft Exchange Recipient address set for tenants (MicrosoftExchangeRecipientPrimarySmtpAddress in Get-OrganizationConfig). This address cannot be modified by admins and therefore these messages will not count towards the throttling limit.
Hybrid configurations with complex routing make use of MOERA domains containing mail.onmicrosoft.com. It is possible that addresses using these domains could send emails to external recipients e.g. OOF messages when Sending from Aliases is enabled. These messages will not be throttling so long as these domains are not used for original traffic.
Analyzing your MOERA email traffic
You can use the Message Trace feature in Exchange Admin Center to retrieve the outbound traffic being sent from your tenant. By placing a wild card address in the Senders field, you can get a report with all traffic using your onmicrosoft.com domain to send. Note that this report would contain messages sent internally as well, but those can be filtered out of the resulting report by using the recipient domain.
Rollout timeline
The throttling rollout will be based on the number of Exchange seats in an organization:
MOERA outgoing email throttling starts
Exchange seats in the tenant
October 15, 2025
Trial
December 1, 2025
< 3
January 7, 2026
3 – 10
February 2, 2026
11 – 50
March 2, 2026
51 – 200
April 1, 2026
201 – 2,000
May 4, 2026
2,001 – 10,000
June 1, 2026
10,001 >
Announcements for each stage of the rollout will be made one month before via Message Center to all customers meeting the seat count criteria. All customers who are using their MOERA domains are encouraged to start planning and migrating today.
AkiraBot uses OpenAI to generate custom outreach messages to spam chat widgets and website contact forms at scale.
Many spammers have elected to attack web pages and mail servers of legitimate organizations, so they may use these “pirated” resources to send unsolicited email.
Cloud attack tool has been repurposed by multiple threat actors to push SMS spam and smishing campaigns through major SaaS providers.
On 2024-06-23, 00:19 AM UTC, a phishing email was sent out to 35,794 email addresses by updates@blog.ethereum.org with the following content
When OpenAI CEO Sam Altman announced GPTs, custom chatbots powered by OpenAI's generative AI models, onstage at the company's first-ever developer
A new Python project called 'Wall of Flippers' detects Bluetooth spam attacks launched by Flipper Zero and Android devices.
Google is apparently struggling to contain a spam attack that's been ongoing for days.
Google’s search results have been hit by a spam attack for the past few days in what can only be described as completely out of control. Many domains are ranking for hundreds of thousands of keywords each, an indication that the scale of this attack could easily reach into the millions of keyword phrases.
The Kitchen Sink is a name of Bluetooth Low Energy (BLE) attack that sends random advertisement packets that targets iOS, Android, and Windows devices the same time in the vicinity. The attack is called “Kitchen Sink” because it tries to send every possible packet in the list, similar to the phrase “everything but the kitchen
The Bluetooth spam feature that was initially used to inundate, and even crash, iPhones has now been expanded to cover Android and Windows devices.
One of the most expensive aspects of any cybercriminal operation is the time and effort it takes to create large numbers of new throwaway email accounts. Now a new service offers to help dramatically cut costs associated with large-scale spam…
We’ve seen spam campaigns in the open-source ecosystems in the past year, but this month was by far the worst one we’ve seen yet. Apparently, attackers found the unvetted open-source ecosystems as an…
Trustwave SpiderLabs’ spam traps have identified an increase in threats packaged in password-protected archives with about 96% of these being spammed by the Emotet Botnet. In the first half of 2022, we identified password-protected ZIP files as the third most popular archive format used by cybercriminals to conceal malware.
A new variant of the URSNIF malware, first observed in June 2022, marks an important milestone for the tool. Unlike previous iterations of URSNIF, this new variant, dubbed LDR4, is not a banker, but a generic backdoor (similar to the short-lived SAIGON variant), which may have been purposely built to enable operations like ransomware and data theft extortion. This is a significant shift from the malware’s original purpose to enable banking fraud, but is consistent with the broader threat landscape.
Microsoft discovered an attack where attackers installed a malicious OAuth application in compromised tenants and used their Exchange Online service to launch spam runs.
