Spammers, hackers, and phishers are exploiting SM15 (probably SM16 also) by spoofing popular domains using a null sender. Here's a message that appears to come from @constantcontact.com. It looks legit, but it's fake when you look at the header (can't expect users to do that).
Received: from lurch.overforcorp.com (lurch.operatbox.com [188.8.131.52]) by v15.smartermail.com with SMTP;
Fri, 22 Sep 2017 11:17:56 -0400
Received: from localhost (127.0.0.1) by lurch.overforcorp.com id eIqp4hLQVtZazhbvcw for email@example.com; Fri, 22 Sep 2017 11:18:00 -0400 (envelope-from <firstname.lastname@example.org>)
Date: Fri, 22 Sep 2017 11:18:00 -0400
Content-Type: multipart/alternative; boundary="=_3ee2f1a39725234a7a5414f8bb61e71a"
X-SmarterMail-Spam: Null Sender, Commtouch 10 [value: Confirmed], DKIM_None, Custom Rules 
There needs to be some kind of check between the From address inside the envelope (what the user sees) and the from address on the outside of the envelope (sending mail server). The other thing you'll notice is that this message doesn't have any SPF checking, again probably due to the null sender. IMO, this is a serious vulnerability that needs to be addressed ASAP, very similar to these other issues:
Greylisting doesn't work with Null Senders
Spam checks don't run for Null Senders
If there's a checkbox somewhere that stops this, please let me know.