A bug has been discovered that allows anyone to send emails pretending to be a Microsoft employee
A bug has been discovered in Microsoft's email client,
I want to share my recent case:
— slonser (@slonser_) June 14, 2024
> I found a vulnerability that allows sending a message from any user@domain
> We cannot reproduce it
> I will send a video with the exploitation, a full PoC
> We cannot reproduce it
At this point, I decided to stop the communication with Microsoft. pic.twitter.com/mJDoHTn9Xv
Security bug allows anyone to spoof Microsoft employee emails | TechCrunch
https://techcrunch.com/2024/06/18/security-bug-allows-anyone-to-spoof-microsoft-employee-emails/
Vsevolod Kokorin, a security researcher at SolidLab , posted on X (formerly Twitter) that he had discovered a vulnerability that allowed messages to be sent from any user domain. In fact, Kokorin has published an email that appears to have been sent from Microsoft Security, Microsoft's security division.
According to Kokorin, the bug only occurs when sending emails to Outlook accounts, but Microsoft reports that the number of Outlook users is ' approximately 400 million worldwide ,' raising concerns that the bug could affect a wide range of users.
For this reason, Kokorin has not revealed any technical details about the bug, citing the need to 'prevent malicious hackers from exploiting this bug.'
I haven't published it yet because I don't want my technique to be used for illegal purposes. I'm considering a publication strategy.
— slonser (@slonser_) June 15, 2024
Kokorin reported the bug to Microsoft, but Microsoft rejected the investigation, saying that they could not reproduce Kokorin's report. So Kokorin reported the bug to X. Kokorin criticized Microsoft's stance, saying, 'When I reported a similar problem to Google, the problem was resolved immediately and not ignored.'
for example, when I reported similar problems to Google (gmail, golang), everything was resolved quickly and I was not just ignored.
— slonser (@slonser_) June 16, 2024
Kokorin later said, 'Microsoft seems to have noticed my post and has contacted me to say that they have resumed testing on this bug.'
'I didn't expect my small X account to get so many responses,' Kokorin said. 'I didn't post about this bug to get money.' He also appealed to TechCrunch, an overseas media outlet, to 'please companies not look down on researchers and support them more friendly.'
I didn't do this to get paid or anything like that. I'm just tired of Microsoft, I was already angry when they simply didn't respond to my 0day in C# SMTP (check my last article), this just became the final point.
— slonser (@slonser_) June 16, 2024
Related Posts: