A newly discovered security vulnerability allows attackers to impersonate Microsoft corporate email accounts, significantly increasing the risk of phishing attacks.
Security researcher Vsevolod Kokorin, also known as Slonser, found this bug, which Microsoft has not yet patched.
Kokorin revealed the bug on X (formerly Twitter) after Microsoft dismissed his initial report, claiming they could not reproduce the issue.
To demonstrate the vulnerability, Kokorin sent an email to TechCrunch that appeared to be from Microsoft’s account security team.
Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot
The bug specifically affects emails sent to Outlook accounts; according to Microsoft’s latest earnings report, Outlook has a user base of at least 400 million people worldwide.
Kokorin expressed his frustration over Microsoft’s response, stating, “Microsoft just said they couldn’t reproduce it without providing any details. Microsoft might have noticed my tweet because a few hours ago, they reopened one of my reports that I had submitted several months ago”.
Despite the public disclosure, Kokorin did not provide technical details that could be used to exploit the bug maliciously.
The implications of this vulnerability are severe, as it allows threat actors to send phishing emails that appear to come from legitimate Microsoft corporate accounts, making them more convincing and potentially more harmful.
This flaw adds to a series of security challenges Microsoft has faced recently, including breaches by state-sponsored hackers from China and Russia.
In response to these ongoing security issues, Microsoft President Brad Smith testified before the House Homeland Security Committee, pledging to prioritize cybersecurity and address the company’s security shortcomings.
This commitment follows several high-profile breaches, including the theft of U.S. federal government emails by Chinese hackers and the Russian hackers’ compromise of Microsoft corporate email accounts.
As of now, it remains unclear whether the bug has been exploited by malicious actors other than Kokorin.
Microsoft has not yet commented on the issue, and the vulnerability poses a significant risk to Outlook users worldwide.
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free