This vulnerability can occur in the following circumstances:

The script is using PHPMailer's default isMail() transport, i.e. using PHP's built-in mail() function.

The 'From' address is set from user input.

The Sender property is not set explicitly.

The server is not running the postfix mail server