Researchers have discovered a bug that could allow anyone to spoof a Microsoft corporate email account, making phishing attacks more likely to appear credible and fool their targets.
As of this writing, the bug has not been fixed. To demonstrate the bug, the researcher sent TechCrunch an email that appears to have been sent from Microsoft's account security team.
Last week, Vsevolod Kokorin, also known online as Slonser, wrote on X (formerly Twitter) that he had discovered an email spoofing bug and reported it to Microsoft, but Microsoft rejected his report because they couldn't reproduce the bug he discovered. Kokorin then disclosed the bug on X, without revealing any technical details that would help others exploit it.
I would like to share a recent example from my own experience.
> We discovered a vulnerability that allows messages to be sent from any user@domain
> I can't reproduce it
> Send a video of the full PoC of the exploit
> I can't reproduce it
At this point I decided to stop communicating with Microsoft. pic.twitter.com/mJDoHTn9Xv
— Slonser (@slonser_) June 14, 2024
“Microsoft just said they couldn't reproduce it without providing any details,” Colloin told TechCrunch in an online chat. “Microsoft may have noticed my tweets because they were reactivated a few hours ago. [sic] This is one of the reports I submitted a few months ago.”
Kokorin said the bug only occurs when sending emails to Outlook accounts, which Microsoft says have at least 400 million users worldwide, according to its latest earnings report.
Kokorin said he last contacted Microsoft on June 15. Microsoft did not respond to TechCrunch's request for comment on Tuesday.
TechCrunch is not publishing technical details about the bug to prevent malicious hackers from exploiting it.
“I didn't expect my post to get this kind of response. To be honest, I felt sad about the situation and just wanted to express my frustration,” Kokorin said. “It seems like a lot of people misunderstand me and think I want money or something. In reality, I just want companies to not ignore researchers and be more kind when trying to help them.”
It is unclear whether anyone other than Kokorin discovered this bug or whether it was maliciously exploited.
The threat of the bug is unclear at this time, but Microsoft has experienced several security issues in recent years that have led to investigations by federal regulators and members of Congress.
Last week, Microsoft President Brad Smith testified at a House of Representatives hearing following China's theft of some U.S. federal government emails from Microsoft servers in 2023. During the hearing, Smith pledged a renewed effort to prioritize cybersecurity within the company following a string of security embarrassments.
Months earlier, in January, Microsoft acknowledged that a group of hackers linked to the Russian government had broken into its corporate email accounts and stolen information that top company executives knew about the group. Then last week, ProPublica revealed that Microsoft had ignored warnings about a critical flaw that was later exploited in a cyberespionage campaign targeting the Russian-backed technology company SolarWinds.