A researcher has found a bug that allows anyone to impersonate Microsoft corporate email accounts, making phishing attempts look credible and more likely to trick their targets.
As of this writing, the bug has not been patched. To demonstrate the bug, the researcher sent an email to TechCrunch that looked like it was sent from Microsoft’s account security team.
Last week, Vsevolod Kokorin, also known online as Slonser, wrote on X (formerly Twitter) that he found the email-spoofing bug and reported it to Microsoft, but the company dismissed his report after saying it couldn’t reproduce his findings. This prompted Kokorin to publicize the bug on X, without providing technical details that would help others exploit it.
“Microsoft just said they couldn’t reproduce it without providing any details,” Kokorin told TechCrunch in an online chat. “Microsoft might have noticed my tweet because a few hours ago they reopen [sic] one of my reports that I had submitted several months ago.”
The bug, according to Kokorin, only works when sending the email to Outlook accounts. Still, that is a pool of at least 400 million users all over the world, according to Microsoft’s latest earnings report.
Kokorin said he last followed up with Microsoft on June 15. Microsoft did not respond to TechCrunch’s request for comment on Tuesday.
TechCrunch is not divulging technical details of the bug in order to prevent malicious hackers from exploiting it.
“I did not expect my post to get such a reaction. Honestly, I just wanted to share my frustration because this situation made me sad,” Kokorin said. “Many people misunderstood me and think that I want money or something like that. In reality, I just want companies not to ignore researchers and to be more friendly when you try to help them.”
It’s not known if anyone other than Kokorin found the bug, or if it has been maliciously exploited.
While the threat of this bug, at this point, is unknown, Microsoft has experienced several security problems in recent years, prompting investigations by both federal regulators and congressional lawmakers.
Last week, Microsoft president Brad Smith testified in a House hearing after China stole a tranche of U.S. federal government emails from Microsoft’s servers in 2023. In the hearing, Smith pledged a renewed effort to prioritize cybersecurity in the company after a slew of security embarrassments.
Months earlier, in January, Microsoft confirmed that a Russian-government linked hacking group had broken into Microsoft corporate emails accounts to steal information about what the company’s top executives knew about the hackers themselves. And last week, ProPublica revealed that Microsoft had failed to heed warnings about a critical flaw that was later exploited in the Russian-backed cyber espionage campaign that targeted tech company SolarWinds.