Share this article on:
A bug allowing threat actors to send a message from what appears to be a legitimate Microsoft employee email has been discovered by a security researcher.
Vsevolod Kokorin, better known as Slonser online, notified Microsoft of the bug upon discovery. However, unable to recreate the bug, the tech giant dismissed the issue.
In response, Slonser then shared the bug online, withholding details that would allow users to exploit it.
I want to share my recent case:
> I found a vulnerability that allows sending a message from any user@domain
> We cannot reproduce it
> I send a video with the exploitation, a full PoC
> We cannot reproduce it
At this point, I decided to stop the communication with Microsoft. pic.twitter.com/mJDoHTn9Xv— slonser (@slonser_) June 14, 2024========================
While details of the bug have been intentionally kept quiet, Slonser said the bug only affects Outlook account holders, of which there are 400 million, making Outlook the largest rival for Gmail, which has 1.8 billion users.
The bug appears to allow those who exploit it to send an email that at least appears to be from a legitimate address, making it a dangerous phishing tool for scammers and threat actors.
To prove the bug, Slonser sent a demonstration email to TechCrunch impersonating Microsoft’s account security team.
In an online chat with TechCrunch, Slonser said that making the bug public seems to have piqued Microsoft’s interest once again as the company revisited the issue.
“Microsoft just said they couldn’t reproduce it without providing any details,” Solnser told TechCrunch.
“Microsoft might have noticed my tweet because a few hours ago they reopen [sic] one of my reports that I had submitted several months ago.”