Published: August 19, 2024 on our newsletter Security Fraud News & Alerts Newsletter.
A security researcher recently posted an alert to 400 million MS Outlook users. The post on “X” warned about a flaw that allows criminals to send messages from what appear to be legitimate Microsoft (MS) employee emails. That has serious security consequences with users being phished. However, Microsoft hasn’t created a security patch to fix the flaw, while the security of so many millions of Outlook users hang in the balance.
It Doesn’t Exist
Microsoft typically sends users security alerts about a flaw and follows up with a patch to fix it. But in this case, the company has yet to acknowledge the flaw exists and therefore won’t create a patch. The problem, according to MS, is they’re unable to reproduce the flaw, the security researcher discovered.
Slonser, as the bug hunter calls himself, found the bug and reported it to MS before making it public. When the company dismissed his findings, he took to reporting the flaw on X. Slonser did not provide any technical details in the post, keeping bad actors from using that information to exploit the flaw. According to Slonser, the flaw can only be abused sending emails to Outlook accounts.
Phishing Fears
When a security flaw involves email phishing, especially one affecting 400 million Outlook email accounts, the risk of getting phished is serious business. To demonstrate the flaw, Slonser sent an email to TechCrunch looking like a legitimate message from a MS security team member. An unsuspecting Outlook user is easily tricked into providing sensitive information in such an email.
Account takeovers, identity theft and financial fraud are just a few possibilities email phishers have up their sleeves, especially when they have “MS legitimacy” to work with. The best option for Outlook users is keeping their phishing red flags ready for all emails from MS. Never opening email attachments or following links, not providing any sensitive PII or account information, or calling a phone number provided are just a few red flags. If an email says there’s a problem with your account, go to the official Outlook website and login to your account to find if it’s really true. And if you’re not expecting to receive a link or attachment, regardless of who the sender claims to be, don’t click it.
In the meantime, while MS further investigates this flaw, we can only hope it gets resolved, including releasing a security patch. Millions of Outlook users are waiting.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at advisor@nadicent.com
Comments