Unpatched Vulnerability: Hackers Can Easily Forge Microsoft Emails

A critical vulnerability in Microsoft’s systems has been discovered that allows attackers to impersonate Microsoft corporate email accounts. This flaw could be exploited for large-scale phishing attacks, potentially compromising sensitive information or harming Microsoft’s reputation.

Details of the Vulnerability:

Discovered by security researcher Vsevolod Kokorin (@Slonser).
Allows anyone to forge Microsoft corporate email addresses, making phishing attempts appear legitimate.
Technical details are not being publicly disclosed to prevent immediate exploitation.

I want to share my recent case:
> I found a vulnerability that allows sending a message from any user@domain
> We cannot reproduce it
> I send a video with the exploitation, a full PoC
> We cannot reproduce it
At this point, I decided to stop the communication with Microsoft. pic.twitter.com/mJDoHTn9Xv
— slonser (@slonser_) June 14, 2024

Timeline and Response:

Kokorin reported the vulnerability to Microsoft but claims the company could not replicate the issue.
Frustrated by the lack of response, Kokorin publicly disclosed the flaw on platform X (formerly Twitter).
Microsoft has not yet responded to requests for comment.

Current Status and Recommendations:

The vulnerability remains unpatched, raising concerns about potential ongoing exploitation.
It is strongly recommended that Microsoft prioritize patching this critical flaw to protect its users and reputation.

Following Developments:

We will continue to monitor the situation and report on any updates from Microsoft or the security community.

Actionable Steps for Users:

While details are limited, be wary of any emails claiming to be from Microsoft, especially those with unusual urgency or requests for sensitive information.
If unsure about an email’s legitimacy, contact the sender through a trusted channel to verify.
Consider using email security solutions that can help detect phishing attempts.

By patching this vulnerability and raising awareness, Microsoft and its users can work together to mitigate the risk of email spoofing attacks.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. Summitsystemsissp assumes no liability for the accuracy or consequences of using this information.