Unexpected Routing Discovered in Microsoft Infrastructure
In January 2026, network researchers identified unusual activity within Microsoft’s systems involving example.com, a domain designated solely for testing under internet standards like RFC2606. This protected domain, managed by the global registry, should never direct traffic to any real organization. Yet, queries routed email traffic to servers run by Sumitomo Electric, a Japanese company specializing in industrial cables, not email services.
Autodiscover Feature Triggers Anomaly
The issue surfaced during standard tests of Microsoft’s Outlook autodiscover function, which automates email account setup much like tools on website builders. When researchers entered test credentials for example.com, the system delivered JSON responses listing mail server hostnames tied to the sei.co.jp domain. These included functional IMAP and SMTP endpoints beyond Microsoft’s network, despite the credentials being obvious placeholders.
RFC2606 explicitly prohibits example.com from producing routable service details, highlighting a clear deviation from norms. By early Monday, the erroneous routing ended. Queries to the endpoint first timed out, then returned ‘not found’ errors, replacing the earlier Sumitomo-linked responses.
Microsoft’s Response and Ongoing Probe
Microsoft confirmed it updated the service to halt suggested server information for example.com, noting the investigation continues. The endpoint now avoids the faulty JSON output, though the root cause of the routing logic stays unclear.
Questions persist about how a Sumitomo Corp. subsidiary domain integrated into Microsoft’s vast configuration systems, akin to global web hosting setups. While Sumitomo has adopted Microsoft 365 Copilot, this does not account for the separate domain’s appearance in autodiscover replies. Evidence points to the glitch possibly lasting years, suggesting potential configuration drift in a key service.
Microsoft has yet to detail its internal processes for adding or reviewing autodiscover records. No signs indicate malicious activity, and normal operations show no exposure of real user credentials.
Broader Implications for System Reliability
This event echoes prior Microsoft disclosures of administrative lapses, such as a overlooked test account exploited by state-sponsored intruders. It underscores the challenges of maintaining accuracy in automated systems handling global email traffic.
