Bug allows threat actors to imitate legitimate Microsoft emails
A security researcher discovered a bug that allows threat actors to send a message from what appears to be a legitimate email from a Microsoft employee.
Vsevolod Kokorin, better known as Slonser online, notified Microsoft about the bug upon discovering it. However, unable to recreate the error, the tech giant ruled out the issue.
In response, Slonser shared the bug online, hiding details that would allow users to exploit it.
I want to share my recent case:
> I found a vulnerability that allows sending a message from any user@domain
> We can’t reproduce it
> I send video with the exploitation, complete PoC.
> We can’t reproduce it
At this point, I decided to stop communication with Microsoft. pic.twitter.com/mJDoHTn9Xv— slower (@slonser_) June 14, 2024
While details of the bug have been intentionally kept secret, Slonser said the bug only affects Outlook account holders, of which there are 400 million, making Outlook the biggest rival to Gmail, which has 1,800. millions of users.
The bug appears to allow those who exploit it to send an email that at least appears to come from a legitimate address, making it a dangerous phishing tool for scammers and threat actors.
To test the bug, Slonser sent a demo email to TechCrunch posing as Microsoft’s account security team.
In an online chat with TechCrunch, Slonser said making the bug public appears to have piqued Microsoft’s interest once again as the company reviewed the issue.
“Microsoft just said they couldn’t reproduce it without providing any details,” Solnser told TechCrunch.
“Microsoft might have noticed my tweet because a few hours ago they reopened [sic] one of my reports that I had presented several months ago.”