Security Bug Makes Impersonating Microsoft Corporate Emails Possible for Anyone

• Security researchers discovered a flaw that allows for spoofing Microsoft employee emails possible for anyone.
• This bug can be easily leveraged by threat actors in phishing campaigns. 
• Since a patch is not yet available, the details of the exploit have not been made public.

An email-spoofing vulnerability could let anyone impersonate a Microsoft corporate email, as reported on X (formerly Twitter) by Vsevolod Kokorin, also known online as Slonser, who notified the company of this worrying discovery. 

This flaw allows sending email messages from any user and domain. However, Kokorin said the bug only manifests when sending emails to Outlook accounts, and according to Microsoft's latest earnings report, at least 400 million of them exist around the world. 

The researcher says the tech giant couldn’t reproduce his findings and dismissed his discovery. After posting this finding, the researcher said Microsoft reopened one of his older reports submitted several months ago, mentioning he would like companies to be more friendly when researchers try to help them.

Kokorin did not publish technical details that would help malicious actors abuse this bug, but he made a video with the exploitation, a full proof of concept (PoC). There is no information regarding anyone else finding this flaw or if it has already been exploited by bad actors.

Microsoft has experienced several security issues in recent years, such as China stealing U.S. federal government emails from the company’s servers in 2023 and a hacking gang linked to Russia breaching Microsoft's corporate email accounts to steal information. 

Microsoft refused to acknowledge a critical security flaw due to fears of losing government business. Yet Russian hackers later exploited that vulnerability, targeting the National Nuclear Security Administration, tech company SolarWinds, and others.