Pierluigi Paganini
June 20, 2024
The security researcher Vsevolod Kokorin (@Slonser) discovered a bug that allows anyone to impersonate Microsoft corporate email accounts. An attacker can trigger the vulnerability to launch phishing attacks.
I want to share my recent case:
— slonser (@slonser_) June 14, 2024
> I found a vulnerability that allows sending a message from any user@domain
> We cannot reproduce it
> I send a video with the exploitation, a full PoC
> We cannot reproduce it
At this point, I decided to stop the communication with Microsoft. pic.twitter.com/mJDoHTn9Xv
The researchers demonstrated the bug exploitation to TechCrunch, Kokorin told TechCrunch that he reported the bug to Microsoft, but the company replied that it couldn’t reproduce his findings. Then Kokorin disclosed the flaw on X.
The researcher explained that the vulnerability works when an attacker sends an email to Outlook accounts.
“Kokorin said he last followed up with Microsoft on June 15. Microsoft did not respond to TechCrunch’s request for comment on Tuesday.” reported TechCrunch. “TechCrunch is not divulging technical details of the bug in order to prevent malicious hackers from exploiting it.”
Kokorin expressed surprise at the reaction to his report, he pointed out that he was only offering assistance to Microsoft.
At this time the issue has yet to be addressed, and it is unclear if any threat actors have already exploited it in attacks in the wild.
We will continue to follow the evolution of this case.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, spoofing)
