- Microsoft routed example.com email traffic to servers operated by Sumitomo Electric
- A test-only domain was treated as a real email provider in Microsoft systems
- Outlook autodiscover returned valid IMAP and SMTP servers for fake accounts
In January 2026, network researchers noticed unusual behavior inside Microsoft’s infrastructure involving example.com.
This domain exists solely for testing under established Internet standards and is protected by the Global Domain Registration System.
Traffic that should never have resolved to any real organization was instead routed to servers run by Sumitomo Electric, a Japanese brand known for industrial cables rather than email services.
Autodiscover anomaly
The anomaly surfaced during routine tests involving Microsoft’s Outlook autodiscover feature, which raised immediate questions about how such routing could even exist.
Requests sent to Microsoft initially yielded no explanation, even after the misrouting stopped.
The problem occurred in Microsoft’s autodetect and autodiscover systems it uses when setting up new email accounts, similar to automated setup tools used by website-building platforms.
When researchers submitted test credentials using example.com, the service returned JSON responses that included mail server hostnames mapped to the sei.co.jp domain.
These responses pointed to IMAP and SMTP endpoints outside of Microsoft’s network, although the credentials were clearly placeholders.
According to RFC2606, example.com should never generate service information that can be routed, making this behavior difficult to reconcile with expected standards.
By Monday morning, the visible routing behavior had ceased, although Microsoft still did not provide an immediate technical explanation.
Instead of returning server information associated with Sumitomo Electric, the same endpoint started timing out and then responded with a not found error.
Microsoft later confirmed that it had updated the service to stop providing suggested server information for example.com, and it stated that the investigation was still ongoing.
The endpoint no longer returned the problematic JSON output, although the underlying routing logic remained unclear.
It is still uncertain how a subsidiary domain of Sumitomo Corp. was embedded in Microsoft’s network configuration, particularly within systems comparable in scale to global web hosting infrastructure.
Previous public statements about Sumitomo Corp. deploying Microsoft 365 Copilot do not explain why a separate corporate domain appeared in autodiscover responses.
Reports suggest that the behavior may have persisted for several years, raising the possibility of long-term configuration drift within a critical service.
Microsoft has not clarified how it adds or revises autodiscover records internally.
At the time of writing, no evidence shows malicious intent behind the routing behavior, and no indication that real user credentials were exposed during normal operations.
The incident revived memories of previous administrative oversights disclosed by Microsoft, including a forgotten test account that allowed state-sponsored attackers to access internal systems.
Via Arstechnica
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
