A critical vulnerability in a Microsoft security tool used to simulate phishing attacks allowed real attacks to be launched. It took almost a year to fix the vulnerability.

Staff training is an important part of cybersecurity. There are therefore all sorts of tools that you can use to test and refine employee reflexes without potentially irreversible consequences for your company. Microsoft also has problems Attack simulation training a tool in the 365 offering that can be used to send phishing emails to employees via Outlook. Luckily, they aren’t real, but a vulnerability in the tool may have changed that.

In early 2023, Dutch cybersecurity expert Vaisha Bernard, who works at Eye Security, noticed something strange about the tool. He tested the tool and discovered a template that redirects you to a webpage that mimics Atlassian Confluence. Bernard registered the site in his name.

Unregistered domains

Just a few days later, Bernard received requests to access the site registered in his name from people all over the world. This led to the discovery of two major issues in the phishing simulation tool. The templates contained links to unregistered pages and domains, and the email addresses that Microsoft used for the phishing simulations were also linked to unregistered domains.

Bernard immediately informed Microsoft of his discovery. The domains can be registered for as little as ten dollars, even by people with less than good intentions. In other words, the vulnerability allowed the Phishing Simulator to launch phishing attacks, which was the opposite of what it was intended for. There will always be people who click on a link. Ultimately, it took until early November for the problem to be fully resolved.

All’s well that ends well

In a response to BNR Nieuwsradio, where Bernard previously told his story, Microsoft stressed that there was no evidence of abuse by malicious actors. However, if a criminal had discovered the vulnerability faster than Bernard, thousands of people could have been exposed to phishing attacks.

According to the Dutch expert, there is a clear lesson to be learned from the incident. “In a broader perspective, it shows that preventative measures – such as awareness training, endpoint and cloud security – are only the first line of defense. You should assume that you are being hacked. “So make sure you can quickly detect cyberattacks and respond appropriately.”