- Vsevolod Kokorin (also known as Slonser online) disclosed an email spoofing vulnerability he discovered on X (formerly Twitter) and reported the issue to Microsoft.
- Microsoft has experienced several security problems in recent years, prompting investigations by both federal regulators and congressional lawmakers.
OUR TAKE
The incident sparked a discussion about vulnerability disclosure and technical details made public. The technical community often has different positions on the disclosure of security vulnerabilities, either by reporting the issue to the vendor to facilitate a fix, and by avoiding disclosing enough details to prevent hackers from exploiting it. In this case, Kokorin’s approach not only increases the transparency of vulnerability disclosure, but also protects users and enterprises from potential threats.
–Revel Cheng, BTW reporter
A researcher has found a bug that allows anyone to impersonate Microsoft corporate email accounts, making phishing attempts look credible and more likely to trick their targets.
What happened
Last week, Vsevolod Kokorin, also known online as Slonser, wrote on X (formerly Twitter) that he found the email-spoofing bug and reported it to Microsoft, but the company dismissed his report after saying it couldn’t reproduce his findings. This prompted Kokorin to publicize the bug on X, without providing technical details that would help others exploit it.
“Microsoft just said they couldn’t reproduce it without providing any details,” Kokorin said. “Microsoft might have noticed my tweet because a few hours ago they reopen one of my reports that I had submitted several months ago.”
While the threat of this bug, at this point, is unknown, Microsoft has experienced several security problems in recent years, prompting investigations by both federal regulators and congressional lawmakers.
Last week, Microsoft president Brad Smith testified in a House hearing after China stole a tranche of U.S. federal government emails from Microsoft’s servers in 2023. In the hearing, Smith pledged a renewed effort to prioritize cybersecurity in the company after a slew of security embarrassments.
Also read: Microsoft invests in $7B data centre in Spain
Also read: Apple surpasses Microsoft to become world’s most valuable company
Why it’s important
The vulnerability reportedly affects Outlook accounts, which still have some 400 million users. So, the attack surface is fairly large. By spoofing major brands such as Microsoft, threat actors could create convincing and highly dangerous phishing emails, so the threat coming from this vulnerability is real.
However, it is currently unknown if Slonser was the first one to find it, or if someone else already discovered it and abused it in attacks.
Microsoft has recently faced criticism after a series of security mishaps that allowed Chinese threat actors to access emails belonging to high-ranking US government employees. As a result, Microsoft announced a full overhaul of its security practices, and claimed to have placed cybersecurity “above all else”.
The incident not only damaged Microsoft’s reputation, but also raised deeper concerns about data security in the public and corporate sectors.