A new security flaw allows attackers to impersonate Microsoft corporate email accounts, increasing phishing risks. Discovered by researcher Vsevolod Kokorin (Slonser), the bug remains unpatched by Microsoft.
Kokorin revealed the issue on X (formerly Twitter) after Microsoft dismissed his report. To prove the flaw, Kokorin sent an email to TechCrunch that seemed to come from Microsoft’s account security team.
The bug targets Outlook accounts, affecting at least 400 million users globally, according to Microsoft’s latest earnings report. Kokorin expressed frustration with Microsoft’s response, saying, “They claimed they couldn’t reproduce it without details. However, after my tweet, they reopened an old report I submitted months ago.”
Kokorin refrained from sharing technical details that could facilitate exploitation. This vulnerability poses significant risks, enabling attackers to send phishing emails that appear to be from legitimate Microsoft accounts, thus increasing their credibility and potential impact.
This issue compounds Microsoft’s recent security challenges, including breaches by state-sponsored hackers from China and Russia.
In response, Microsoft President Brad Smith testified before the House Homeland Security Committee, committing to prioritize cybersecurity and address the company’s security flaws.
This commitment comes in the wake of several notable breaches, such as the theft of U.S. federal government emails by Chinese hackers and the compromise of Microsoft corporate email accounts by Russian hackers.
As of now, it’s uncertain if anyone other than Kokorin has exploited the bug. Microsoft has yet to comment on the matter, and the vulnerability poses a considerable risk to Outlook users globally.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment