A critical security flaw discovered in Microsoft’s email system could permit attackers to mimic Microsoft corporate email accounts, increasing the likelihood of successful phishing attacks.
Researcher Vsevolod Kokorin, who operates under the pseudonym Slonser, initially identified the vulnerability and reported it to Microsoft. Despite his report, Microsoft was initially unable to replicate the issue and dismissed his claims.
Following this dismissal, Kokorin took to the social media platform X (formerly Twitter) to disclose the existence of the bug, albeit without sharing the technical specifics that would enable exploitation.
Who Is Affected by This Security Flaw?
The flaw, as described by Kokorin, only affects emails when sent to Microsoft’s Outlook accounts, potentially impacting over 400 million users globally as per Microsoft’s recent earnings data.
The bug’s discovery and subsequent public disclosure came after Microsoft had not taken action on Kokorin’s earlier reports. According to Kokorin, Microsoft only revisited and reopened one of his past reports after he voiced his frustrations publicly on X.
Microsoft’s Reaction
To demonstrate the severity of this vulnerability, Kokorin conducted a test by sending an email that appeared to be from Microsoft’s account security team to the news outlet TechCrunch. This act was meant to highlight the potential for credible phishing schemes enabled by the bug. TechCrunch has chosen not to reveal the technical details of the vulnerability to avoid assisting potential malicious exploits.
Kokorin’s interaction with Microsoft and his decision to go public stem from a lack of adequate response from the company, not a desire for financial compensation. His main concern, he stated, was the general disregard companies often show towards security researchers and their contributions.
Recent Microsoft Security Breaches
The implications of this security lapse are particularly concerning given Microsoft’s recent track record with cybersecurity issues.
Over the past few years, Microsoft has been the target of several high-profile hacking incidents, including breaches linked to foreign governments. Notably, a hacking group associated with the Russian government infiltrated Microsoft corporate email accounts in January, seeking information on the company’s executives’ knowledge of the hackers.
Furthermore, last week, investigative reports by ProPublica highlighted Microsoft’s failure to address critical vulnerabilities which were later exploited in the Russian-backed cyber espionage attack on the technology firm SolarWinds.
These ongoing security challenges were underscored last week during a testimony by Microsoft President Brad Smith before a House hearing, where he committed to prioritizing cybersecurity in the wake of these incidents. This hearing was convened after revelations that China had accessed a significant number of U.S. federal government emails hosted on Microsoft’s servers in 2023.
As of the latest updates, Microsoft has not responded to requests for comment regarding this newly revealed bug. It remains unclear if others besides Kokorin have discovered or maliciously exploited this vulnerability.
Related News:
Featured Image courtesy of Freepik