Security Bug Makes Impersonating Microsoft Corporate Emails Possible for Anyone

Written by Lore Apostol
Last updated June 27, 2024

An email-spoofing vulnerability could let anyone impersonate a Microsoft corporate email, as reported on X (formerly Twitter) by Vsevolod Kokorin, also known online as Slonser, who notified the company of this worrying discovery. 

This flaw allows sending email messages from any user and domain. However, Kokorin said the bug only manifests when sending emails to Outlook accounts, and according to Microsoft's latest earnings report, at least 400 million of them exist around the world. 

The researcher says the tech giant couldn’t reproduce his findings and dismissed his discovery. After posting this finding, the researcher said Microsoft reopened one of his older reports submitted several months ago, mentioning he would like companies to be more friendly when researchers try to help them.

Kokorin did not publish technical details that would help malicious actors abuse this bug, but he made a video with the exploitation, a full proof of concept (PoC). There is no information regarding anyone else finding this flaw or if it has already been exploited by bad actors.

Microsoft has experienced several security issues in recent years, such as China stealing U.S. federal government emails from the company’s servers in 2023 and a hacking gang linked to Russia breaching Microsoft's corporate email accounts to steal information. 

Microsoft refused to acknowledge a critical security flaw due to fears of losing government business. Yet Russian hackers later exploited that vulnerability, targeting the National Nuclear Security Administration, tech company SolarWinds, and others.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: