Spoofing vulnerability allows emails to be sent under Microsoft's name

[German]An unpleasant story: There is a vulnerability in Microsoft's email services that allows third parties to send emails on behalf of Microsoft. As far as I know, Microsoft has confirmed this bug, but has not yet patched it. This means that you should expect phishing emails from Microsoft accounts.

Security researcher encounters spoofing bug

Security researcher @slonser_ (aka Vsevolod Kokorin) from SolidLab came across a nasty story in connection with Microsoft's email services some time ago. In the following tweet, he writes "I found a vulnerability that allows a message to be sent from an arbitrary user@domain."

What is meant is that the security researcher has found a bug in Microsoft's email services that allows third parties to send an email under any domain (e.g. @microsoft.com). Anyone who receives such an email must assume that it originates from Microsoft.

Not that many details emerge from the tweet, but the security researcher contacted Techcrunch, who reveal some details in this post (a reader pointed to the Techcrunch article in this comment). It states that the bug found by the security researcher allows anyone to send mail under a Microsoft corporate email account (@microsoft.com). This gave phishers an effective tool to make phishing attempts appear more credible.

The security researcher did not publish any details in order to prevent misuse, but tried to clarify the matter with Microsoft. He reported the bug to the Microsoft security team.The response was that the bug could not be reproduced. The security researcher then sent a video with a proof of concept (PoC) to Microsoft without being able to report any progress in the matter.

At this point, Vsevolod Kokorin decided to cease communication and published the above tweet. The tweet went viral (more than 120,000 views), and the security researcher spoke to Techcrunch, who then made some details of the case public. According to Kokorin, the bug only works when the email is sent to Outlook accounts. However, this still affects 400 million accounts.

The problem is that any domain name can be used as the sender address. According to Kokorin, he last had contact with Microsoft on June 15, 2024. Microsoft did not respond to TechCrunch's request for comment. The bug has probably not yet been fixed, which is why no technical details of the bug are being disclosed in order to prevent misuse.