The renowned security researcher Vsevolod Kokorin has discovered a vulnerability that enables attackers to spoof Microsoft email addresses and thus launch credible phishing attacks on Microsoft customers.
Outlook accounts targeted
The vulnerability specifically affects emails sent to Outlook accounts. Outlook is an email service with over 400 million users worldwide, meaning that attackers can potentially send millions of fake emails that appear trustworthy to recipients.
Microsoft has recognized the problem in the meantime
Kokorin reported the error to Microsoft. He had already informed the company of his discovery months ago, he told Techcrunch. However, the technology giant initially stated that it was unable to reproduce the problem. Finally, the security researcher published information about his discovery on X (formerly Twitter).
The technical details of the vulnerability were not published for security reasons to prevent possible misuse. Kokorin emphasized that he had not acted out of financial motives, but rather wanted to encourage companies to take security researchers seriously and work better with them.
It is not known whether anyone other than Kokorin has also discovered the vulnerability and may already be actively exploiting it.
After Microsoft initially failed to respond to Kokorin’s request for comment, Microsoft now appears to have responded. On Tuesday evening, the researcher explained on X that the company had now recognized the problem. “They have also looked at some of my older reports on emails,” he continued. However, it remains unclear when the spoofing problem will be fixed.
The vulnerability is reproducible
The NoSpamProxy security team has analyzed the vulnerability and was able to reproduce the result described by Kokorin. We also refrain from publishing the vulnerability because the risk is considerable and could have serious consequences.
We were also able to spoof other domains protected by the DMARC policy, including web.de and our own domain nospamproxy.com. As things currently stand, we assume that basically all external domains can be fished.
As we are not sure whether this is the same vulnerability, we have also forwarded a report with our findings to Microsoft.
Two-phased safety concepts protect
Mistakes can of course happen. However, cases like this also show that two-phase safety concepts always offer the best possible protection: A combination of Microsoft 365 and NoSpamProxy as a mail gateway would have solved the problem from the outset, because the evaluation of the Header-From recognizes false senders and rejects or blocks the corresponding emails. NoSpamProxy customers are therefore protected from this vulnerability.
Not yet using NoSpamProxy?
With NoSpamProxy you can reliably protect your company from cyber attacks. Request your free trial version now!