Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Microsoft IT

Security Bug Allows Anyone To Spoof Microsoft Employee Emails (techcrunch.com) 73

A researcher has found a bug that allows anyone to impersonate Microsoft corporate email accounts, making phishing attempts look credible and more likely to trick their targets. From a report: As of this writing, the bug has not been patched. To demonstrate the bug, the researcher sent an email to TechCrunch that looked like it was sent from Microsoft's account security team. Last week, Vsevolod Kokorin, also known online as Slonser, wrote on X (formerly Twitter) that he found the email-spoofing bug and reported it to Microsoft, but the company dismissed his report after saying it couldn't reproduce his findings. This prompted Kokorin to publicize the bug on X, without providing technical details that would help others exploit it.
This discussion has been archived. No new comments can be posted.

Security Bug Allows Anyone To Spoof Microsoft Employee Emails

Comments Filter:
    • Outlook is a massive security risk that doubles as an email client. (That's an old joke applicable to Microsoft in-general).

      • If you wanted to almost completely end phishing entirely, forget names in the from. Always show the user the from email address. Always.
        • That's not enough, although I agree it should be done. But with font kerning tricks - and especially with Unicode - you can make that "from:" address look like it's from just about any arbitrary domain you choose.

          Another step would be to train IT staff in how to not make an official email look like a damn phishing attack! Our university's central IT group sent out a bunch of "your access to service NNN is about to expire" emails earlier this year that looks way too much like a phishing email - warning abou

          • by Bert64 ( 520050 )

            Yes a lot of legitimate emails (and calls) look exactly like scams, which teaches people to become more susceptible to the malicious ones.
            I end up getting hassled because i keep reporting mails to incident response, which turn out to be legitimate mails.

            The solution is S/MIME, which is supported by virtually every mail client and has been to years, but is not widely used.

            • Yes a lot of legitimate emails (and calls) look exactly like scams...

              No, it's the other way around, scams are made to look like the legitimate e-mails so users fall for it because it looks authentic.

  • by Ed Avis ( 5917 ) <ed@membled.com> on Wednesday June 19, 2024 @09:14AM (#64560799) Homepage
    Fixed that for you

    Last week, or seven days ago, Vsevolod Kokorin, also known online as Slonser, wrote on X (formerly Twitter) that he found the email-spoofing (also known as forgery) bug (or vulnerability) and reported or disclosed it to Microsoft, formerly known as Micro-Soft.

  • Comment removed based on user account deletion
    • by ls671 ( 1122017 )

      I assume he means the emails will pass tests such as DKIM and SPF otherwise yes, it would be trivial to simply fake the From: field, it has always been, hence DKIM which signs that.

      • Comment removed based on user account deletion
      • Exactly this. The summary states that the researcher emailed TechCrunch in a demonstration. I doubt that TechCrunch is not performing dkim/dmarc/SPF checks etc.

        • Comment removed based on user account deletion
          • ONLY working on Outlook 365 and personal accounts is still a lot of people. Techcrunch is using Proofpoint for their main domain, so they would have had to set up either a personal @hotmail or @outlook account or a new 365 tenant domain without email connectors. It probably relies to implicit trust when mail is handed back and forth within Microsoft's systems.

        • Microsoft does not run full spam checks on all emails that originate in Microsoft and are sent to a Microsoft-hosted email address. In fact, Microsoft doesn't even publish a full SPF list for domains to include -- there is an SPF TXT record that can be included, but I regularly see SPF failures in my RUA reports where the origin IP address belongs to Microsoft.

          I assume that this internal bypass of the spam filtering is the root of this vulnerability.

      • SPF is easy. If you're using Microsoft servers through your own account to send, and it accepts the spoofed sender email, then it will be delivered.

        DKIM is harder. I suspect that might have to do with inbound connectors and email forwarding. You set up an inbound connector that accepts untrusted email, and then set up a forwarding rule to send it to your target. It probably uses a system that implicitly trusts a lot and bypasses a lot of security checks and signs using the sender domain, since it has ac

        • by boulat ( 216724 )

          Most of these spoofed email bugs are related to SPF record that uses ~all instead of -all

          A lot of companies still use ~all and can be even be attacked through trusted domains and IP records they have whitelisted.

          Its not a "vulnerability", just an amateur security team.

          Nothing new here.

          • They can be -all if you're using another 365 account for this scheme.

            The problem is that DMARC analysis is still incredibly complex. Either you're paying high monthly fees to someone or you're using an extremely complex open source option. That's how you find out if you're ready to move from ~all to -all, because you can see the SPF alignment of every email coming from your domain (among recipient providers that send reports).

            • I can answer the question of whether you should move to -all if you use Microsoft to host your email. In this case, you cannot move to
              "-all"

              I see the failures in the RUA reports. They are not failures from my company's SPF or DKIM setup.

              • I forgot. Microsoft has a serious problem with using additional outbound IP addresses that aren't in their SPF ranges.

                But aside from that, it sounds like -all wouldn't fix the vulnerability in the article, because it's using Microsoft's own servers to carry out delivery.

                • But aside from that, it sounds like -all wouldn't fix the vulnerability in the article, because it's using Microsoft's own servers to carry out delivery.

                  Exactly.

      • by mysidia ( 191772 )

        These protocols can still generally be bypassed though. When you receive an email message: You need to look at both the Envelope From and the message body rfc822 From header.

        SPF Protects Only the Envelope from header but not the normal From header inside the message which most Email clients display at the top and in the message list.

        Changing the normal From header is necessary for things like Forwarded messages, and Listserv mailing list mail. If I want to have my xyzabcdef@example.com email addre

  • by YetAnotherDrew ( 664604 ) on Wednesday June 19, 2024 @09:26AM (#64560827)
    billg@microsoft.com doesn't need me to wire him $10,000?
  • by DarkOx ( 621550 ) on Wednesday June 19, 2024 @09:34AM (#64560839) Journal

    Microsoft just isnt serious about security not in the we should be a trusted partner to handled classified intel sort of way.

    Whatever they might say about it the "Shared Responsibility" model boils down (for them) to no matter how obviously causal weakness in our products and PAAS services are we are going to find a way to blame the victim.

    You see this in every action they take, like hiding audit features and identity and access management into upper license classes. The entire industry basically says MFA is must, but if you want conditional access in Microsoft's platform you are upgrading those users to P2 licenses! Then when you don't and your people get cred stuff MS will tell you 'should had x,y,z enabled, which you would have other than it would have cost a bunch more...'

    I don't have problem with IT vendors competing on security, I don't have a problem with automakers competing on safety. However I do have a problem with MS aming a product at the nexus of security vs cost which is appropriate for small-to-medium business, lobbying congress to use it for the nations most critical information in terms of confidentiality and integrity requirements, and then inventing a bunch of silly rules and slogans to point the finger elsewhere when things go wrong.

    Windows and Azure are fine if you are building bicycles in Ohio, and maybe its even alright if you are selling dry-goods in stores nation wide. It is maybe not good enough for critical infrastructure. Maybe it does not cost enough to be and that is fine. Someone else should fill that gap.

    • Microsoft is bad at security, but I think Google is worse at email security. It seems like every time I get a scam email, it is from a compromised @gmail.com address.

      You see this in every action they take, like hiding audit features and identity and access management into upper license classes.

      This is just a really bad attempt at bait and switch. Lure people in with the lower prices but then everyone needs higher tier service just to have any security. Except that nobody is paying those prices for just that.

      The problem is, the bicycle shops and stores need this as much as any large enterprise. You can't even find out if your user

    • Microsoft is in a position of deeply perverse incentives when it comes to security. They do spend a fair amount of money on it, and some of their offerings are at least OK; but they are positioned as separate offerings that they made ~$20 billion on last year, and which are typically given a favored position through a combination of license bundling schemes and EZ default integrations with their other products.

      That's...quite an incentive...to not treat security as a mandatory baseline feature of all your
      • by gweihir ( 88907 )

        Well, yes. And it is high time to un-perverse these incentives and regulate MS like the critical infrastructure and service provider they unfortunately are. The damage they already do is far too high to not do that.

    • You see this in every action they take, like hiding audit features and identity and access management into upper license classes. The entire industry basically says MFA is must, but if you want conditional access in Microsoft's platform you are upgrading those users to P2 licenses! Then when you don't and your people get cred stuff MS will tell you 'should had x,y,z enabled, which you would have other than it would have cost a bunch more...'

      It's good to be King. You can bitch all you want, but you either pay or suffer. There are zero options.

  • by Anonymous Coward

    v=DMARC1; p=none; sp=quarantine; pct=100; rua=mailto:rua@dmarc.microsoft; ruf=mailto:ruf@dmarc.microsoft; fo=1

  • If I find an e-mail in my in-box purportedly from Microsoft, I know it's fake. I have yet to see a Microsoft system sucsessfully deliver anything.

  • Microsoft Outlook has the pet name Micro-slop "Look out!" as a work colleague called it during the Melissa https://en.wikipedia.org/wiki/... [wikipedia.org] security "incident" way back when.

    The last time I had "an important message from" was when the president of Hotmail announced Microsoft was buying Hotmail...yeah it became hot, like Chernobyl.

    "We're sorry..." and a "pledge" is much cheaper than actually fixing code so that execs can get their bonuses from increased profits.

    JoshK.

    As a Microsoft COM genius once wrote "Mi

  • > The bug, according to Kokorin, only works when sending the email to Outlook accounts.

    It sounds like the mail is being submitted to Microsoft's SMTP servers directly. Of course you can't use that to relay outside of Outlook. I'm wondering if the "hack" is just submitting an email via SMTP? I too discovered this "exploit" when I was 10.

    • If it is that simple then there's something pretty badly wrong with Microsoft's handling of SPF, DKIM, and DMARC.

      It certainly is trivial to just fake up just about anything in an email(aside from the signatures you'd need the DKIM private key to generate); but it absolutely isn't supposed to be trivial to produce email with faked values that also withstands scrutiny when those records are expected(and one would hope that Microsoft can be nice and humorless about the correctness of email from microsoft.co
  • This is nothing new. Back in the 70's we just used telnet to connect to an SMTP server and typed in the text of the email we wanted to send, complete with the address to use as the sender of that email. Anything you wanted could go in that email, and the sender, would appear as anyone you wanted it to be. Bugs Bunny, POTUS, anyone. Now the SMTP servers likely require authentication, but the system is still vulnerable if you find an old SMTP server running ancient software. We now have certificates and spam

    • by SendBot ( 29932 )

      This exploit is not at all like providing an arbitrary "from:" header. We've had SPF for decades now, plus there's DMARC and DKIM. Anonymous smtp relays have been exploited out of existence. The "system" is not "still vulnerable".

      Everything about this semi-informed nonsense is so far off the mark that it's hard to distinguish from intentional trolling.

      • Some people stop learning at a certain age and also figure there's nothing new.

        The former is fine, I suppose. COBOL programmers have a few more years to make mint.

    • by gweihir ( 88907 )

      So you are saying MS is running "an old SMTP server running ancient software"? Would make sense to me. They fuck up everything else they do.

  • Whoever entrusts their security to Microsoft deserves what happens to them.

    • by gweihir ( 88907 )

      I would not care much if every IT person that trusts MS dies in fire. The problem is that with the size of MS, I and a lot of others that never trusted MS and a lot of people that are not IT people and cannot reasonably be expected to know better will go down with them.

  • Gee I remember the old spammers trick using the port 25 exploit to do something similar.

    telnet
    set localecho
    OPEN my.email.server.com 25
    MAIL FROM: me@my.email.server.com
    RCPT TO: you@your.email.server.com
    DATA
    Subject: This is the Microsoft Security Team!

    This is the Microsoft Security Team to let you know of a major breach.
    .
    QUIT
  • I mean something like this is obvious material for a speedy escalation to the core security team. Apparently MS neither has that nor does it have escalation rules worth crap.

  • I have reported spam sent from their networks to Microsoft before, and I all I ever got back from the "Microsoft Security Response Center" is "This report could not be validated, no action was taken.", no matter how clearly I defined what the problem was, indicating the Microsoft IPs where the spam originated at the exact timestamps, all backed by .eml samples.

    Just to get an idea of how much they try to dissuade you from reporting spam in the first place, by making you jump through ridiculous hoops, their l

  • It's a feature
    M$ contracts most software quality assurance staff in order to keep users buying newer operating systems. It's American ingenuity sucking the life out of their market domination so the management can afford to retire instead of being contract labor until they are 80 years old.

  • What is the problem based on? If it's due to MS Exchange or outlook.com it can be a bigger problem.

    If it's something to do with the DNS setting, it should be fixed relatively easily.

  • Despite all the grousing here, this is a non-story. According to the article, MS said they could not reproduce it following the submitter's instructions and the submitter hasn't provided any details to anyone else.

Real programmers don't comment their code. It was hard to write, it should be hard to understand.

Working...