Security bug could have allowed anyone to spoof Microsoft employee emails

However Microsoft said it couldn’t reproduce the bug

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Security researchers recently claimed to have found a flaw that could allow threat actors tospoofMicrosoftcorporate emails.

A cybersecurity researcher with the alias Slonser (full name Vsevolod Kokorin, according toTechCrunch) recently posted on X with a telling screenshot that appeared to show an email seemingly coming from thesecurity@microsoft.comemail address.

In the post, Slonser said that after tipping off Microsoft about the vulnerability, the company came back saying it couldn’t reproduce it. In other words - it didn’t find it relevant. The researcher then shared “a video with the exploitation, a full PoC” to which Microsoft, yet again, responded by saying it was unable to reproduce the flaw.

Large attack surface

“At this point, I decided to stop the communication with Microsoft,” Slonser said, and just posted his findings on the internet.

His post “blew up”, raking in more than 118,000 views at press time. The researcher later suggested toTechCrunchthat Microsoft may have had a change of heart: “Microsoft might have noticed my tweet because a few hours ago they reopen [sic] one of my reports that I had submitted several months ago.”

The vulnerability apparently only works on Outlook accounts, which are still some 400 million users. So, the attack surface is fairly large. By spoofing major brands such as Microsoft, threat actors could create convincing and highly dangerous phishing emails, so the threat coming from this vulnerability is real.

However, it is currently unknown if Slonser was the first one to find it, or if someone else already discovered it and abused it in attacks.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Microsoft has recently been put on a pillar of shame, after a series of security mishaps which resulted in Chinese threat actors reading emails belonging to high ranking US government employees. As a result, Microsoft announced a full overhaul of its security practices, and claimed to have placed cybersecurity “above all else”.

ViaTechCrunch

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

VIPRE Security Group says its new endpoint protection tools can stamp out even the latest cybersecurity threats