A security researcher discovered a bug in Outlook that could allow anyone to spoof a Microsoft corporate email account, potentially making phishing attacks seem legitimate and fooling unsuspecting targets. The vulnerability remains unpatched, prompting an urgent warning to roughly 400 million Outlook users.
Vsevolod Kokorin, a security researcher at SolidLab, first warned about the email spoofing bug. X (formerly Twitter) last week, Kokorin reported the issue to Microsoft, but the company rejected his report, saying it couldn’t reproduce his findings. Frustrated, Kokorin called on X to warn others, while understandably refusing to provide the technical details needed to exploit the vulnerability.
As demonstrated in the screenshots he shared, the bug allows anyone to send emails to another Outlook user, posing as an official Microsoft corporate account. In his update, he said Microsoft is aware of the issue, but it’s unclear when a patch will be applied. He also said: TechCrunch Microsoft may have noticed his tweet, as the company is re-investigating one of the reports he filed a few months ago. We have reached out to Microsoft for comment and will update this article if we hear back.
I would like to share a recent case:> I found a vulnerability that allows sending messages from any user@domain> I can’t reproduce> I sent a video of the exploit, a full PoC> I can’t reproduceAt this point, I decided to stop communicating with Microsoft. pic.twitter.com/mJDoHTn9XvJune 14, 2024
How to protect yourself from the new Outlook spoofing bug
Given that a malicious actor would only need to send an email to another Outlook account to exploit this bug, all 400 million Outlook users are at risk of a phishing attack from a legitimate-looking Microsoft corporate account. It’s not yet clear when a patch will be applied, but if you’re an Outlook user, there are some precautions you can take to stay safe in the meantime.
Unfortunately, it all comes down to the old advice to stay vigilant. We highly recommend always being cautious of messages that appear to come from Microsoft. Kokorin advises all Outlook users to be cautious when opening new emails and to avoid clicking on suspicious links. You should also consider signing up for one of the best antivirus software solutions, many of which offer access to VPNs, password managers, and other extra features to keep you safe online.