A bug in Microsoft’s email system has been found to allow anyone to impersonate corporate email accounts, making phishing attempts more believable and likely to succeed. The bug has not been patched, and the researcher who discovered it, Vsevolod Kokorin, has shared a demonstration of the bug, including sending an email that appeared to be from Microsoft’s account security team.
Kokorin, known online as Slonser, claimed to have reported the bug to Microsoft last week, but the company was unable to reproduce his findings and dismissed his report. Kokorin then publicized the bug on X, without providing technical details, after feeling frustrated and dismissed by Microsoft.
The bug only works when sending emails to Outlook accounts, but it affects a pool of at least 400 million users worldwide. Kokorin had reported the bug to Microsoft multiple times, including on June 15, but did not receive a response. Microsoft declined to comment on the bug when asked by Truth Voices.
The discovery of the bug has sparked concerns about its potential for malicious exploitation, but it’s unclear if anyone else has found or exploited the bug. Microsoft has faced numerous security issues in recent years, including high-profile hacking incidents and failures to prioritize cybersecurity. This has prompted investigations by both federal regulators and congressional lawmakers. In response, the company’s president, Brad Smith, pledged a renewed effort to address security concerns.
