Microsoft Finally Investigating Security Bug That Allows Users to Spoof Employee Emails

Microsoft Finally Investigating Security Bug That Allows Users to Spoof Employee Emails



Microsoft is reopening a security investigation it opened and closed months ago following a researcher's good-faith disclosure. The reported bug, that for now appears to be exclusive to Outlook, enables users to spoof Microsoft employees' email addresses.

Vsevolod Kokorin, a security specialist at the Moscow-based network security firm SolidLab, discovered earlier this year that any Outlook user could send an email "from any user@domain." Though this technically means users should be able to spoof just about any email address they want, Kokorin tested the bug by impersonating Microsoft's security team. He then notified the company of his findings—only to be told that Microsoft couldn't reproduce the bug, and would therefore close Kokorin's report. 
If the above pattern sounds a bit familiar, that's because Microsoft appears to have grown a bit sloppy with its security. This spring, Microsoft announced Recall, a  feature that takes a snapshot of your screen every few seconds. The idea was to supply the brand's new Copilot+ PCs with photographic memory, enabling users to search everything they've ever done on their computer. It took weeks of public backlash and proof from a cybersecurity expert that the feature was easy to hack—for Microsoft to delay the tool's rollout and reconsider its Recall strategy. Microsoft leadership has also expressed dissatisfaction with the company's take on security: Just last month, CEO Satya Nadella noted that the company would need to start trading in other priorities for a focus on system resilience.