Topics
late
AI
Amazon
Image Credits:Jaap Arriens/NurPhoto / Getty Images
Apps
Biotech & Health
mood
Cloud Computing
Commerce
Crypto
endeavour
EVs
Fintech
Fundraising
Gadgets
stake
Government & Policy
Hardware
layoff
Media & Entertainment
Meta
Microsoft
Privacy
Robotics
security department
Social
Space
startup
TikTok
Transportation
Venture
More from TechCrunch
Events
Startup Battlefield
StrictlyVC
Podcasts
television
Partner Content
TechCrunch Brand Studio
Crunchboard
adjoin Us
A researcher has found a bug that allows anyone to impersonate Microsoft corporate email accounts , making phishing attempts look credible and more likely to play a trick on their targets .
As of this writing , the bug has not been patched . To demonstrate the bug , the research worker sent an electronic mail to TechCrunch that looked like it was sent from Microsoft ’s account security team .
Last week , Vsevolod Kokorin , also recognize online as Slonser , wrote on X ( formerly Twitter ) that he found the e-mail - spoofing bug and reported it to Microsoft , but the troupe terminate his reputation after say it could n’t reproduce his determination . This prompted Kokorin to publicise the bug on X , without providing technical details that would assist others exploit it .
I need to portion out my late case :> I found a vulnerability that allows send off a subject matter from any user@domain > We can not regurgitate it > I send a video with the exploitation , a full PoC > We can not reproduce itAt this point , I decided to break the communication with Microsoft.pic.twitter.com/mJDoHTn9Xv
“ Microsoft just say they could n’t reproduce it without providing any particular , ” Kokorin told TechCrunch in an online chat . “ Microsoft might have acknowledge my tweet because a few hour ago they reopen [ sic ] one of my reports that I had submitted several month ago . ”
The bug , harmonize to Kokorin , only work when sending the email to Outlook accounts . Still , that is a pond of at least 400 million users all over the reality , according to Microsoft ’s latest wage report .
Kokorin suppose he last come up with Microsoft on June 15 . Microsoft did not react to TechCrunch ’s request for comment on Tuesday .
TechCrunch is not unwrap technical details of the bug to prevent malicious hacker from exploiting it .
Join us at TechCrunch Sessions: AI
Exhibit at TechCrunch Sessions: AI
“ I did not gestate my stake to get such a reaction . candidly , I just wanted to share my defeat because this situation made me sad , ” Kokorin said . “ Many people misunderstood me and think that I need money or something like that . In reality , I just need companies not to push aside research worker and to be more friendly when you judge to help them . ”
It ’s not known if anyone other than Kokorin found the bug , or if it has been maliciously exploited .
While the scourge of this bug , at this point , is unknown , Microsoft has experienced several surety problems in late year , prompting investigating by both Union regulatorsandcongressional lawmakers .
Last week , Microsoft president Brad Smithtestified in a House hearingafter Chinastole a tranche of U.S. Union government emailsfrom Microsoft ’s waiter in 2023 . In the listening , Smith pledged a renewed effort to prioritise cybersecurity in the company after a slew of security embarrassments .
calendar month before , in January , Microsoft confirmed that a Russian - government linked hacking grouphad broken into Microsoft corporate emails accountsto steal entropy about what the troupe ’s top executives knew about the hackers themselves . And last week , ProPublica revealedthat Microsoft had run out to heed warnings about a vital flaw that was afterwards tap in the Russian - backed cyber espionage campaign that target technical school company SolarWinds .
