A bug at Microsoft allows attackers to send emails with @microsoft.com addresses. Phishing messages suddenly look much more realistic.

A security researcher has discovered a flaw in Microsoft’s mail system. Criminals can abuse this to falsely send emails that appear to come from legitimate Microsoft addresses. Researcher Vsevolod Kokorin demonstrated the flaw to Techcrunch by sending an email from security@microsoft.com.

According to the researcher, the vulnerability only works for emails sent to Outlook accounts. These accounts still represent about 400 million users worldwide. In addition, these are usually private accounts where the owner is solely responsible for not falling for phishing.

No reaction

Kokorin reported the problem to Microsoft several times, but said it wasn’t taken seriously. It wasn’t until he started making his findings more public that Microsoft really started working on it.

Techcrunch knows the details of the bug but is not sharing them to prevent abuse. It is unclear whether criminals are aware of the problem. Microsoft is currently working with Kokorin on a solution but has not yet officially responded. It is therefore also unclear whether the bug is being actively exploited and when it will be fixed.

Microsoft recently admitted that it has not always made the right security decisions. The fact that a security researcher has to publicly complain about being ignored by Microsoft with a legitimate bug just a few days later does not look particularly good for Microsoft.