A flaw has been discovered by a researcher, which enables anyone to impersonate Microsoft employee email accounts
This makes phishing attempts appear more credible and more likely to deceive their targets.
The bug still needs to be rectified as of the time of this writing. The researcher sent an email to TechCrunch that appeared to have been sent by Microsoft’s account security team to illustrate the flaw.
Vsevolod Kokorin, also known as Slonser online, reported the email-spoofing bug to Microsoft on X (formerly Twitter) last week.
However, the company should have considered his report after stating that it could not replicate his findings. Kokorin was compelled to disclose the flaw on X, but he refrained from furnishing technical information that could have facilitated its exploitation by others.
Kokorin informed TechCrunch in an online conversation that Microsoft had stated that they could only replicate the issue by providing additional information.
“Microsoft may have observed my tweet, as they recently reopened one of my reports that I had submitted several months ago.”
Kokorin asserts that the flaw is exclusively functional when the email is transmitted to Outlook accounts. Nevertheless, Microsoft’s most recent earnings report indicates that this represents a global user base of at least 400 million.
Kokorin stated that he last communicated with Microsoft on June 15. Microsoft did not respond to TechCrunch’s request for comment on Tuesday.
“I did not anticipate my post would elicit such a response.”
“In all honesty, I simply wanted to express my frustration because this situation has caused me to feel sad,” Kokorin stated.
“Many individuals have misunderstood me and believe I am pursuing financial gain or some other form of compensation.”
In actuality, I want companies to refrain from disregarding researchers and to be more empathetic when they attempt to assist.
It is uncertain whether the flaw was discovered by anyone other than Kokorin or whether it has been maliciously exploited.
Even though the threat posed by this bug is currently unknown, Microsoft has encountered numerous security issues in recent years, prompting inquiries from federal regulators and congressional legislators.
After China seized a tranche of U.S. federal government emails from Microsoft’s servers in 2023, Microsoft president Brad Smith testified in a House hearing last week. Smith committed to the company prioritizing cybersecurity in the wake of a series of security breaches during the hearing.
In January, Microsoft confirmed that a hacking group affiliated with the Russian government had breached its corporate email accounts to obtain information regarding the hackers’ identities.
Last week, ProPublica disclosed that Microsoft had neglected to address warnings regarding a critical vulnerability that was subsequently exploited in the Russian-backed cyber espionage campaign that targeted the technology company SolarWinds.