A new Microsoft security exploit has been found, allowing basically anyone to impersonate Microsoft corporate email accounts, TechCrunch reported.
First discovered by security researcher Vsevolod Kokorin last week, the Microsoft bug allows people to use existing email addresses when sending emails to other Outlook accounts.
(Photo : Jeenah Moon/Getty Images)
In a post on X (formerly Twitter), Kokorin showed how the bug even allows users to impersonate the Microsoft Security team, highlighting its potential risk for phishing attacks.
I want to share my recent case:
— slonser (@slonser_) June 14, 2024
> I found a vulnerability that allows sending a message from any user@domain
> We cannot reproduce it
> I send a video with the exploitation, a full PoC
> We cannot reproduce it
At this point, I decided to stop the communication with Microsoft. pic.twitter.com/mJDoHTn9Xv
Microsoft Outlook supports at least 400 million active users worldwide.
As of writing, the bug is reportedly still present, although Microsoft seems to have already taken notice of Kokorin's X post.
Reports of a new Microsoft security vulnerability came just weeks after cybersecurity firm Kaspersky noted a Windows 10 exploit that could allow hackers to transfer malware into computers undetected.
Also Read: Microsoft Windows Hit with New Ransomware Vulnerability, Puts Millions at Risk
Microsoft Faces Growing Security Scrutiny
The discovery of the new email-spoofing exploit came at a critical period for Microsoft as more security concerns mounted against the tech giant.
Just last week, Microsoft testified before the Senate following two separate major data breaches reported within 12 months, including a suspected China-led hacking that leaked government data.
Both of the reported incidents involved one of its employee accounts being compromised which led to the hackers accessing important company data and source code.
A scathing report from the Cyber Safety Review Board later criticized Microsoft for its "inadequate" security culture on an intrusion that is supposed to be "preventable and should never have occurred."
Microsoft has since vowed to put safety measures at the "No. 1 priority," but not before being scrutinized for its hack-prone AI-powered "Recall" feature in the upcoming Copilot+ PCs update.
Related Article: Microsoft Delays Controversial AI 'Recall' Feature Amid Safety, Security Concerns
Becoming Alert Against Phishing Attacks
With the rise of phishing and scamming schemes online, it is only important to remain alert against bogus accounts and impersonating legitimate businesses and officials.
One key giveaway to scammers is that they often would urge their victims to provide payment immediately to resolve a service or account issue.
To counter this strategy, always double-check with official customer support centers before sending any money online.
