A researcher has discovered a bug that allows anyone to impersonate Microsoft corporate email accounts, making phishing attempts appear credible and more likely to deceive their targets.
As of this writing, the bug has not been fixed. To prove the bug, the researcher sent an email to TechCrunch that looked like it was sent by Microsoft’s account security team.
Last week, Vsevolod Kokorin, also known online as Slonser, wrote on X (formerly Twitter) that he found the email spoofing bug and reported it to Microsoft, but the company rejected his report after saying it could not reproduce the findings of. This prompted Kokorin to make the bug public on X, without providing technical details that would help others exploit it.
“Microsoft just said they couldn’t reproduce it without giving details,” Koroin told TechCrunch in an online chat. “Microsoft might have noticed my tweet because a few hours ago they reopened [sic] one of my reports that I submitted several months ago.”
The bug, according to Kokorin, only works when sending the email to Outlook accounts. However, this is a group of at least 400 million users worldwide, according to Microsoft’s latest earnings report.
Kokorin said he last followed up with Microsoft on June 15. Microsoft did not respond to TechCrunch’s request for comment on Tuesday.
TechCrunch is not disclosing technical details of the bug to prevent malicious hackers from exploiting it.
“I didn’t expect my post to get such a reaction. Honestly, I just wanted to share my frustration because this situation made me sad,” Kokorin said. “A lot of people misunderstood me and think I want money or something. In fact, I just wish companies wouldn’t ignore researchers and be more friendly when you try to help them.”
It is not known if anyone other than Kokorin found the bug or if it has been exploited maliciously.
While the threat of this bug, at this point, is unknown, Microsoft has faced several security problems in recent years, prompting investigations by both federal regulators and congressional legislators.
Last week, Microsoft president Brad Smith testified at a House hearing after China stole a batch of US federal government emails from Microsoft servers in 2023. At the hearing, Smith promised a renewed effort to prioritize cybersecurity at the company after a series of security embarrassments.
Months earlier, in January, Microsoft confirmed that a Russian-linked hacking group had broken into Microsoft corporate email accounts to steal information about what the company’s top executives knew about the hackers themselves. And last week, ProPublica revealed that Microsoft failed to heed warnings about a critical flaw that was later exploited in the Russian-backed cyber espionage campaign targeting tech company SolarWinds.
