Hacker discovered flaw that allowed him to send emails as if he were a Microsoft employee

Researcher Vsevolod Kokorin discovered a vulnerability that allowed hackers to send emails under Microsoft’s corporate domain. By exploiting this flaw, anyone, including employees, can send emails as if they were coming from an official company address.

Kokorin, known online under the pseudonym Slonser, said: TechCrunch This vulnerability was reported to Microsoft as soon as it was discovered. To prove the flaw, he sent an email from Microsoft’s security team to what appeared to be a legitimate news site.

He also noted that the bug only works when the message is sent to Outlook account addresses. There are at least 400 million active Outlook accounts worldwide, according to the company’s latest financial statement. The service is Gmail’s main global competitor.

Although it was a serious failure, the researcher was not taken seriously. He said that Microsoft ended the communication stating that it could not reproduce the reported error. The company did not note any abnormalities in the trial.

Last week, Kokorin posted about the flaw in account X without providing detailed information on how it could be exploited. In the post, he republished his conversation with Big Tech, warning that he could use any of its corporate addresses. The researcher even posted a video to explain how the malfunction occurred.

However, after the vulnerability in X was made public, Microsoft opened one of the messages Kokorin sent about the bug. According to the investigator, the message was sent months ago. Currently the vulnerability is unpatched.

US email theft in 2023

Kokorin’s discovery follows a series of security “bad luck” that Microsoft has faced in recent years.

Last year, the company admitted that Chinese hackers exploited a code flaw and misused its digital keys. The attack allowed the theft of emails from US government agencies.