New Security Warning for Outlook Users: Email Bug Found

A security researcher has issued a critical warning to all 400 million Microsoft Outlook users after discovering an email bug that could allow anyone to impersonate official Microsoft accounts.

Vsevolod Kokorin, a security researcher at SolidLab, revealed the vulnerability on X, formerly known as Twitter. He expressed frustration with Microsoft, stating that despite responsibly disclosing the serious issue affecting Outlook email, Microsoft claimed they could not reproduce the bug.

Kokorin has chosen not to disclose the technical details needed to exploit the bug at this time. However, he explained that the bug allows anyone sending an email to another Outlook user to impersonate official Microsoft corporate accounts. This means that emails can appear to come from Microsoft’s security team, posing significant risks for phishing, malware distribution, and cybercrime.

How to Mitigate the Risk of the New Outlook Spoofing Bug

Although the vulnerability only seems exploitable when sending email from one Outlook user to another, it still creates a significant threat given the vast number of users. Kokorin reached out to TechCrunch, which confirmed receiving a spoofed email that convincingly appeared to be from the Microsoft security team.

I have contacted Microsoft for a statement and will update this article accordingly. Meanwhile, Outlook users are highly advised to stay vigilant against any suspicious requests that appear to come from Microsoft.

In an update to his original post, Kokorin mentioned that “at this point, they have acknowledged the issue,” suggesting that a patch may be forthcoming if the vulnerability is fixable. This is crucial, as Kokorin also noted that the spoofed emails passed DMARC authentication tests designed to prevent such security threats.

The Security Expert View

Max Gannon, the cyber intelligence team manager at Condense, warned that, if confirmed, “this bug could allow the targeting of even the most suspicious and well-trained individuals.”

Gannon emphasized the vulnerability highlights our reliance on companies like Microsoft to prevent such bugs. He stressed the importance of major companies taking security researchers seriously and putting in more than a token effort to verify bugs that could cause significant harm.