Security bug allows anyone to spoof Microsoft employee emails

A bug allows anyone to spoof Microsoft emails for phishing. Microsoft didn't initially fix the bug. The issue only affects Outlook users.

: A security bug allows anyone to impersonate Microsoft email accounts, making phishing attempts more convincing. Researcher Vsevolod Kokorin reported the bug, but Microsoft initially dismissed it. The bug affects emails sent to Outlook accounts, impacting potentially 400 million users.

A researcher, Vsevolod Kokorin, discovered a security bug that allows anyone to spoof Microsoft corporate email accounts, which could make phishing attempts more believable. Despite reporting the bug, Microsoft initially dismissed his findings, claiming they couldn't reproduce the issue. Frustrated, Kokorin publicized the bug without disclosing technical details to prevent exploitation.

The bug specifically affects emails sent to Outlook accounts, which could potentially impact a minimum of 400 million users worldwide according to Microsoft's latest earnings report. Microsoft reopened Kokorin's report after he publicized the bug but has yet to issue a patch to resolve the issue. Kokorin clarified his intentions weren’t for monetary gain but to motivate companies to take researchers seriously and be more cooperative.

Although it's unclear if others have discovered or maliciously exploited the bug, Microsoft's recent history of security problems has drawn oversight from federal regulators and Congress. The company has been scrutinized for incidents including a China-backed email theft from U.S. federal government servers and a Russian-linked hacking group accessing Microsoft corporate accounts. In response, Microsoft’s president pledged to prioritize cybersecurity following these incidents.