Security Bug Allows Anyone To Spoof Microsoft Employee Emails

A researcher has found a bug that allows anyone to impersonate Microsoft corporate email accounts, making phishing attempts look credible and more likely to trick their targets. From a report: As of this writing, the bug has not been patched. To demonstrate the bug, the researcher sent an email to TechCrunch that looked like it was sent from Microsoft's account security team. Last week, Vsevolod Kokorin, also known online as Slonser, wrote on X (formerly Twitter) that he found the email-spoofing bug and reported it to Microsoft, but the company dismissed his report after saying it couldn't reproduce his findings. This prompted Kokorin to publicize the bug on X, without providing technical details that would help others exploit it.

This email is from Microsoft

[oldgraybeard]

We're here to help!

Re:

[echo123]

Outlook is a massive security risk that doubles as an email client. (That's an old joke applicable to Microsoft in-general).

Re: This email is from Microsoft

[saloomy]

If you wanted to almost completely end phishing entirely, forget names in the from. Always show the user the from email address. Always.

Re:

[93 Escort Wagon]

That's not enough, although I agree it should be done. But with font kerning tricks - and especially with Unicode - you can make that "from:" address look like it's from just about any arbitrary domain you choose.

Another step would be to train IT staff in how to not make an official email look like a damn phishing attack! Our university's central IT group sent out a bunch of "your access to service NNN is about to expire" emails earlier this year that looks way too much like a phishing email - warning abou

Re:

[Bert64]

Yes a lot of legitimate emails (and calls) look exactly like scams, which teaches people to become more susceptible to the malicious ones.
I end up getting hassled because i keep reporting mails to incident response, which turn out to be legitimate mails.

The solution is S/MIME, which is supported by virtually every mail client and has been to years, but is not widely used.

Re:

[MoreDruid]

Yes a lot of legitimate emails (and calls) look exactly like scams...

No, it's the other way around, scams are made to look like the legitimate e-mails so users fall for it because it looks authentic.

Please don't omit the alternative names, thx

[Ed Avis]

Fixed that for you

Last week, or seven days ago, Vsevolod Kokorin, also known online as Slonser, wrote on X (formerly Twitter) that he found the email-spoofing (also known as forgery) bug (or vulnerability) and reported or disclosed it to Microsoft, formerly known as Micro-Soft.

Re: Please don't omit the alternative names, thx

[LordofWinterfell]

X is such a generic letter, I can see that they use the formerly, so people arenâ(TM)t confused thinking itâ(TM)s a placeholder. Nobody calls Twitter just X, except Elon.

Re:

[fahrbot-bot]

Nobody calls Twitter just X, except Elon.

I still call it Twitter, though I'm sure, even with whatever faults they had, that's a HUGE disservice to the old company, but I refuse to call it, "X" 'cause it's dumb. I might consider, "Just X" though, thanks for that. :-)

Re:

[whoever57]

I still call it Twitter, though I'm sure, even with whatever faults they had, that's a HUGE disservice to the old company, but I refuse to call it, "X" 'cause it's dumb. I might consider, "Just X" though, thanks for that. :-)

I prefer "Xitter".

Re: Please don't omit the alternative names, thx

[93 Escort Wagon]

I prefer "Xitter".

I bet I know how you pronounce that, too!

Re:

[bill_mcgonigle]

Twix isn't taken in this trademark class, is it?

Re:

[ArsenneLupin]

I know what X is, but what the hell are arenâ and itâ? Never heard about these trademarks. Or did you just late catch COVID and sneeze on your keyboard? :-)

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[ls671]

I assume he means the emails will pass tests such as DKIM and SPF otherwise yes, it would be trivial to simply fake the From: field, it has always been, hence DKIM which signs that.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[fahrbot-bot]

Well TFA says Microsoft can't reproduce it.

So... maybe it's a feature? :-)

Re: Just a spam filter not working?

[Al_Lapalme]

Exactly this. The summary states that the researcher emailed TechCrunch in a demonstration. I doubt that TechCrunch is not performing dkim/dmarc/SPF checks etc.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[omnichad]

ONLY working on Outlook 365 and personal accounts is still a lot of people. Techcrunch is using Proofpoint for their main domain, so they would have had to set up either a personal @hotmail or @outlook account or a new 365 tenant domain without email connectors. It probably relies to implicit trust when mail is handed back and forth within Microsoft's systems.

Re: Just a spam filter not working?

[Al_Lapalme]

Thanks, I missed that detail in TFA !

Re:

[whoever57]

Microsoft does not run full spam checks on all emails that originate in Microsoft and are sent to a Microsoft-hosted email address. In fact, Microsoft doesn't even publish a full SPF list for domains to include -- there is an SPF TXT record that can be included, but I regularly see SPF failures in my RUA reports where the origin IP address belongs to Microsoft.

I assume that this internal bypass of the spam filtering is the root of this vulnerability.

Re:

[omnichad]

SPF is easy. If you're using Microsoft servers through your own account to send, and it accepts the spoofed sender email, then it will be delivered.

DKIM is harder. I suspect that might have to do with inbound connectors and email forwarding. You set up an inbound connector that accepts untrusted email, and then set up a forwarding rule to send it to your target. It probably uses a system that implicitly trusts a lot and bypasses a lot of security checks and signs using the sender domain, since it has ac

Re:

[boulat]

Most of these spoofed email bugs are related to SPF record that uses ~all instead of -all

A lot of companies still use ~all and can be even be attacked through trusted domains and IP records they have whitelisted.

Its not a "vulnerability", just an amateur security team.

Nothing new here.

Re:

[omnichad]

They can be -all if you're using another 365 account for this scheme.

The problem is that DMARC analysis is still incredibly complex. Either you're paying high monthly fees to someone or you're using an extremely complex open source option. That's how you find out if you're ready to move from ~all to -all, because you can see the SPF alignment of every email coming from your domain (among recipient providers that send reports).

Re:

[omnichad]

If you can't understand it, move on. Otherwise, make an actual response.

Re:

[omnichad]

What part do you have a problem with?

Re:

[Monster_user]

It sounds like omnichad is suggesting using DEMARC as the newfangled "-all", for cloud providers that might be vulnerable such as Microsoft 365. Presumably, this would force DKIM into authority over SPF, as domains spoofing the 365 accounts would not likely have the organization's private DKIM signing key, while spoofed emails might not necessarily be blocked by a "-all" SPF flag should they originate from a vulnerable cloud provider.

It is not that omnichad is incompetent, it is that Microsoft is incompet

Re:

[whoever57]

I can answer the question of whether you should move to -all if you use Microsoft to host your email. In this case, you cannot move to
"-all"

I see the failures in the RUA reports. They are not failures from my company's SPF or DKIM setup.

Re:

[omnichad]

I forgot. Microsoft has a serious problem with using additional outbound IP addresses that aren't in their SPF ranges.

But aside from that, it sounds like -all wouldn't fix the vulnerability in the article, because it's using Microsoft's own servers to carry out delivery.

Re:

[whoever57]

But aside from that, it sounds like -all wouldn't fix the vulnerability in the article, because it's using Microsoft's own servers to carry out delivery.

Exactly.

Re:

[mysidia]

These protocols can still generally be bypassed though. When you receive an email message: You need to look at both the Envelope From and the message body rfc822 From header.

SPF Protects Only the Envelope from header but not the normal From header inside the message which most Email clients display at the top and in the message list.

Changing the normal From header is necessary for things like Forwarded messages, and Listserv mailing list mail. If I want to have my xyzabcdef@example.com email addre

Re:

[ls671]

You may use includes to include an infinity of ips if you want.

SPF: ips + include spf1
SPF1: ips + include spf2
SPF2: ips + include spf3

etc.

You mean

[YetAnotherDrew]

billg@microsoft.com doesn't need me to wire him $10,000?

Re:

[jacks smirking reven]

He just needs that money to pay the bank to get the $40M then for sure he will wire you half that for your troubles.

Re:

[YetAnotherDrew]

How did you know? Bill? Is that you, too?

Re:

[jacks smirking reven]

Yes it is I, William Gates III, I need help with my finances

Food $200
Data $150
Rent $800
Candles $3,600
Utility $150

someone who is good at the economy please help me budget this. my family is dying

Re:

[iAmWaySmarterThanYou]

No, he's good now. I already sent him the money.

Re:

[awwshit]

No, no, he is going to wire *you* $10,000. Then you just have to wire him back $9500, you keep $500 as your fee for helping him out. Just need your account info...

Re:You mean

[dysmal]

billg@microsoft.com doesn't need me to wire him $10,000?

He still owes me for helping him test his email tracking program. I sent that message to all of my family and my friends from school and he still hasn't paid up!

Re:

[UnknowingFool]

$10,000? You got off cheap. Bill G wanted more than that from me. Also apparently he is a prince in a country somewhere and needs the money to free his inheritance of which I will get a part.

Shared Responsibility

[DarkOx]

Microsoft just isnt serious about security not in the we should be a trusted partner to handled classified intel sort of way.

Whatever they might say about it the "Shared Responsibility" model boils down (for them) to no matter how obviously causal weakness in our products and PAAS services are we are going to find a way to blame the victim.

You see this in every action they take, like hiding audit features and identity and access management into upper license classes. The entire industry basically says MFA is must, but if you want conditional access in Microsoft's platform you are upgrading those users to P2 licenses! Then when you don't and your people get cred stuff MS will tell you 'should had x,y,z enabled, which you would have other than it would have cost a bunch more...'

I don't have problem with IT vendors competing on security, I don't have a problem with automakers competing on safety. However I do have a problem with MS aming a product at the nexus of security vs cost which is appropriate for small-to-medium business, lobbying congress to use it for the nations most critical information in terms of confidentiality and integrity requirements, and then inventing a bunch of silly rules and slogans to point the finger elsewhere when things go wrong.

Windows and Azure are fine if you are building bicycles in Ohio, and maybe its even alright if you are selling dry-goods in stores nation wide. It is maybe not good enough for critical infrastructure. Maybe it does not cost enough to be and that is fine. Someone else should fill that gap.

Re:

[omnichad]

Microsoft is bad at security, but I think Google is worse at email security. It seems like every time I get a scam email, it is from a compromised @gmail.com address.

You see this in every action they take, like hiding audit features and identity and access management into upper license classes.

This is just a really bad attempt at bait and switch. Lure people in with the lower prices but then everyone needs higher tier service just to have any security. Except that nobody is paying those prices for just that.

The problem is, the bicycle shops and stores need this as much as any large enterprise. You can't even find out if your user

Re:

[fuzzyfuzzyfungus]

Microsoft is in a position of deeply perverse incentives when it comes to security. They do spend a fair amount of money on it, and some of their offerings are at least OK; but they are positioned as separate offerings that they made ~$20 billion on last year, and which are typically given a favored position through a combination of license bundling schemes and EZ default integrations with their other products.

That's...quite an incentive...to not treat security as a mandatory baseline feature of all your

Re:

[gweihir]

Well, yes. And it is high time to un-perverse these incentives and regulate MS like the critical infrastructure and service provider they unfortunately are. The damage they already do is far too high to not do that.

Re:

[strikethree]

You see this in every action they take, like hiding audit features and identity and access management into upper license classes. The entire industry basically says MFA is must, but if you want conditional access in Microsoft's platform you are upgrading those users to P2 licenses! Then when you don't and your people get cred stuff MS will tell you 'should had x,y,z enabled, which you would have other than it would have cost a bunch more...'

It's good to be King. You can bitch all you want, but you either pay or suffer. There are zero options.

dmarc outlook.com p=none

[Anonymous Coward]

v=DMARC1; p=none; sp=quarantine; pct=100; rua=mailto:rua@dmarc.microsoft; ruf=mailto:ruf@dmarc.microsoft; fo=1

Easy to spot

[PPH]

If I find an e-mail in my in-box purportedly from Microsoft, I know it's fake. I have yet to see a Microsoft system sucsessfully deliver anything.

Re:

[gweihir]

Good point.

Microsoft Outlook has...

[joshuark]

Microsoft Outlook has the pet name Micro-slop "Look out!" as a work colleague called it during the Melissa https://en.wikipedia.org/wiki/... [wikipedia.org] security "incident" way back when.

The last time I had "an important message from" was when the president of Hotmail announced Microsoft was buying Hotmail...yeah it became hot, like Chernobyl.

"We're sorry..." and a "pledge" is much cheaper than actually fixing code so that execs can get their bonuses from increased profits.

JoshK.

As a Microsoft COM genius once wrote "Mi

Smells like working as intended

[mukundajohnson]

> The bug, according to Kokorin, only works when sending the email to Outlook accounts.

It sounds like the mail is being submitted to Microsoft's SMTP servers directly. Of course you can't use that to relay outside of Outlook. I'm wondering if the "hack" is just submitting an email via SMTP? I too discovered this "exploit" when I was 10.

Re:

[fuzzyfuzzyfungus]

If it is that simple then there's something pretty badly wrong with Microsoft's handling of SPF, DKIM, and DMARC.

It certainly is trivial to just fake up just about anything in an email(aside from the signatures you'd need the DKIM private key to generate); but it absolutely isn't supposed to be trivial to produce email with faked values that also withstands scrutiny when those records are expected(and one would hope that Microsoft can be nice and humorless about the correctness of email from microsoft.co

The 70's are calling...

[hAckz0r]

This is nothing new. Back in the 70's we just used telnet to connect to an SMTP server and typed in the text of the email we wanted to send, complete with the address to use as the sender of that email. Anything you wanted could go in that email, and the sender, would appear as anyone you wanted it to be. Bugs Bunny, POTUS, anyone. Now the SMTP servers likely require authentication, but the system is still vulnerable if you find an old SMTP server running ancient software. We now have certificates and spam

Re:

[SendBot]

This exploit is not at all like providing an arbitrary "from:" header. We've had SPF for decades now, plus there's DMARC and DKIM. Anonymous smtp relays have been exploited out of existence. The "system" is not "still vulnerable".

Everything about this semi-informed nonsense is so far off the mark that it's hard to distinguish from intentional trolling.

Re:

[bill_mcgonigle]

Some people stop learning at a certain age and also figure there's nothing new.

The former is fine, I suppose. COBOL programmers have a few more years to make mint.

Re:

[gweihir]

So you are saying MS is running "an old SMTP server running ancient software"? Would make sense to me. They fuck up everything else they do.

Those who trust Microsoft...

[Tough Love]

Whoever entrusts their security to Microsoft deserves what happens to them.

Re:

[gweihir]

I would not care much if every IT person that trusts MS dies in fire. The problem is that with the size of MS, I and a lot of others that never trusted MS and a lot of people that are not IT people and cannot reasonably be expected to know better will go down with them.

Old port 25 exploit?

[gabrieltss]

Gee I remember the old spammers trick using the port 25 exploit to do something similar.

telnet
set localecho
OPEN my.email.server.com 25
MAIL FROM: me@my.email.server.com
RCPT TO: you@your.email.server.com
DATA
Subject: This is the Microsoft Security Team!

This is the Microsoft Security Team to let you know of a major breach.
.
QUIT

Re:

[eneville]

I thought you were going to say

  WIZ

https://www.tenable.com/plugin... [tenable.com]

Good old Microsoft. Always even more incompetent

[gweihir]

I mean something like this is obvious material for a speedy escalation to the core security team. Apparently MS neither has that nor does it have escalation rules worth crap.

Re:

[eneville]

Tell me it was an AI chatbot handling the ticket without telling me...

Re:

[gweihir]

Possibly.

Microsoft is synonymous with spam

[protehnica]

I have reported spam sent from their networks to Microsoft before, and I all I ever got back from the "Microsoft Security Response Center" is "This report could not be validated, no action was taken.", no matter how clearly I defined what the problem was, indicating the Microsoft IPs where the spam originated at the exact timestamps, all backed by .eml samples.

Just to get an idea of how much they try to dissuade you from reporting spam in the first place, by making you jump through ridiculous hoops, their l

It's NOT A Bug!

[Bob_Who]

It's a feature
M$ contracts most software quality assurance staff in order to keep users buying newer operating systems. It's American ingenuity sucking the life out of their market domination so the management can afford to retire instead of being contract labor until they are 80 years old.

Problem with Outlook.com, exchange or DNS?

[Deal In One]

What is the problem based on? If it's due to MS Exchange or outlook.com it can be a bigger problem.

If it's something to do with the DNS setting, it should be fixed relatively easily.

It's a non-story

[jbmartin6]

Despite all the grousing here, this is a non-story. According to the article, MS said they could not reproduce it following the submitter's instructions and the submitter hasn't provided any details to anyone else.

Re:

[jbmartin6]

Well, I stand corrected, reports now say MS has acknowledged the issue. Grouse away!