ooof, that seems like a pretty big problem

"the email domain for the Department of State, allows Outlook to send emails on their behalf... an attacker can create a spoofed email... and then forward it through their personal Outlook account. Once they do this, the spoofed email will now be treated as legitimate by the recipient"