Confusion about a loophole: Sender forgery in Outlook
A loophole in Outlook accounts is said to make it possible to forge sender addresses - by bypassing verification mechanisms such as DMARC.
Microsoft is being scrutinized (symbolic image).
(Image: IB Photography/Shutterstock.com)
A vulnerability in Outlook accounts recently reported in several media outlets is said to allow attackers to trick victims into receiving emails with forged sender addresses, such as those from Microsoft. According to the discoverer, this allows protection mechanisms such as DKIM and DMARC to be bypassed so that no warnings are displayed. However, Microsoft is unable to reproduce the error.
Vsevolod Kokorin, who goes by the handle Slonser on X (formerly Twitter), demonstrated the vulnerability to Techcrunch. He sent the magazine a fake email with the supposed sender "Microsoft Account Security Team", which looked like it actually came from there. However, we in the editorial team managed to do this without exploiting any errors simply by manipulating the mail header. However, the servers do not use a "strict" policy for DMARC, among other things, which could provide a warning or filtering here.
Danger of phishing attacks
The vulnerability allows attackers to forge messages that originate from Microsoft, for example. This could result in more credible phishing emails and make it more likely to trick potential victims. Kokorin did not provide any details about the vulnerability. Even when asked by heise online, he did not want to provide any further information, as we can abuse the gap to the detriment of others. However, he confirmed: "The point is that the vulnerability makes it possible to send a mail with any name to Outlook Mail and bypass all security mechanisms such as DMARC".
Kokorin told X that Microsoft had told him that the company could not reproduce the vulnerability. He had also sent a video of the vulnerability being exploited, a complete proof-of-concept. After Microsoft again stated that it could not reproduce the flaw, the IT researcher gave up. Kokorin added to Techcrunch that Microsoft may have become aware of the tweet, as the case that was closed months ago has now been reopened. However, Microsoft did not comment when asked by Techcrunch.
When asked, a Microsoft spokesperson told heise online: "We are investigating the case and will take action to protect customers if necessary".
In the end, what remains is that protection mechanisms such as DMARC, DKIM and similar may not work due to a vulnerability. Users of Outlook and Office 365 / Microsoft 365 can therefore not rely on incoming emails being genuine, even if such mechanisms are activated. You should always be on your guard against phishing attacks.
(dmk)
