A security expert has issued a warning to Microsoft email users about a surprisingly convincing phishing scam.
According to Vsevolod Kokorin, whose online handle is Slonser, there is a bug that allows cybercriminals to make phishing scams look a lot more credible. This could mean victims may click on malicious links without realizing they’re part of a scam.
Specifically, bad actors are able to mimic Microsoft corporate accounts – those ending in @microsoft.com – making it seem as though they are emailing from a credible source. For example, an email could appear to be sent from [email protected], as highlighted in Slonser’s original post.
I want to share my recent case:
> I found a vulnerability that allows sending a message from any user@domain
> We cannot reproduce it
> I send a video with the exploitation, a full PoC
> We cannot reproduce it
At this point, I decided to stop the communication with Microsoft. pic.twitter.com/mJDoHTn9Xv— slonser (@slonser_) June 14, 2024
While the copy in the email is clearly not from Microsoft, the email address itself looks impressively realistic. This is a common tactic in phishing scams, enticing victims to click on links under the guide of a legitimate request but actually directing people to a malicious website.
This could then lead to people handing over sensitive information, paying money to an unknown person, or downloading malware onto a device without them realizing.
How has Microsoft responded?
Slonser has reported the bug to Microsoft but the company initially said that it was unable to reproduce his original exploit. In a follow-up post to X, he went on to note that the tech company had acknowledged the issue.
What’s more, speaking to the website TechCrunch on Wednesday, Mr. Kokorin said: “Microsoft just said they couldn’t reproduce it without providing any details. Microsoft might have noticed my tweet because a few hours ago they reopen [sic] one of my reports that I had submitted several months ago.”
The bug only appears to work when sending emails directly to Outlook accounts, so Microsoft email users in particular should be on the lookout, of which there are around 400 million in the world.
Even still, phishing scams can strike anyone with any email account, being deemed one of the top tech threats earlier this year. Look out for any emails that attempt to make you take action urgently. When in doubt, contact the company directly rather than clicking through on links in emails.
Featured image: Pexels
The post “Microsoft email users warned of new, convincing phishing email scam” by Rachael Davies was published on 06/20/2024 by readwrite.com