A security researcher claims to have discovered a bug that enables anyone to impersonate Microsoft corporate email accounts, making phishing attempts appear more credible and likely to deceive their targets. As of now, the bug remains unpatched.
Vsevolod Kokorin, also known online as Slonser, identified the email-spoofing bug and reported it to Microsoft. However, the company initially dismissed his report, claiming they couldn’t reproduce his findings. Frustrated by the response, Kokorin publicized the bug on X (formerly Twitter), although he refrained from sharing technical details to prevent misuse.
To demonstrate the bug, Kokorin sent an email that appeared to come from Microsoft’s account security team. He explained that the bug works specifically with Outlook accounts, impacting at least 400 million users worldwide, based on Microsoft’s latest earnings report.
“Microsoft just said they couldn’t reproduce it without providing any details,” Kokorin told TechCrunch in an online chat. He added that Microsoft might have noticed his tweet because they reopened one of his reports a few hours later.
Kokorin clarified his motivations in his X post: “Many people misunderstood me and think that I want money or something like that. In reality, I just want companies not to ignore researchers and to be more friendly when you try to help them.”
The extent of the threat posed by this bug is currently unknown. It remains unclear if others have discovered or exploited the vulnerability. Microsoft has faced several security issues in recent years, leading to federal investigations and congressional scrutiny.
