A new study has reportedly discovered a worrying security Microsoft bug that can make anyone seem like an employee from the tech giant when sending an email to Outlook accounts, allowing for easier phishing scams.

Vsevolod Kokorin, also known online as Slonser, claimed to have discovered the email-spoofing flaw last week and reported it to Microsoft. However, the latter rejected his report, stating it could not replicate his results.

Kokorin posted his findings on X (previously Twitter). As a result, Kokorin decided to disclose the problem on X to the public without offering any technical information that could aid in its exploitation. The bug has not yet been fixed as of this writing.

Kokorin claims that the bug is limited to sending emails to Outlook accounts. Still, based on Microsoft's most recent financial report, it represents a global user base of at least 400 million people. According to Kokorin, he last communicated with Microsoft on June 15.

It is said that no one except Kokorin has discovered the flaw's existence or malicious exploitation.

Read Also: Microsoft Gives OpenAI its Best AI for Development, Claims Okta CEO 

Microsoft Against Hackers

The newly discovered bug comes as a new cybersecurity report found that Microsoft Office software continues to be vulnerable to hacking attempts.

According to the Software Vulnerability Ratings Report 2024, Microsoft Office has the most total number of vulnerabilities of any office product. RCEs account for 40-50% of the almost 80% of vulnerabilities categorized as critical each year. Additionally, 5% more people were exploiting it in 2023. 

Compared to other software, office apps are easier for hackers to compromise because they are user-facing and prone to human error. Common user behaviors, including clicking embedded links, activating macros, and opening documents, might be the subject of phishing attempts. 

An attack of this type has the best chance of success since Microsoft Office is so prevalent, relied on, and recognized by users. The authors predict a rise in phishing attacks that target issues in Microsoft Office. 

Of all the major web browsers, Microsoft Edge has the most RCE vulnerabilities over the last three years -14 total. The number rose by 500% between 2021 and 2022 and 17% between 2022 and 2023. Although RCEs accounted for just 1% of Firefox and Chrome vulnerabilities, 10% of all vulnerabilities were made public.

Microsoft Hacking Incidents

Following China's 2023 theft of a portion of Microsoft's computers containing emails from the US federal government, Microsoft President Brad Smith testified in a House committee last week. Following several security blunders, Smith promised throughout the hearing that the company would once again prioritize cybersecurity.  

According to CISA, a recent Microsoft data breach involving Russian hackers may have exposed confidential government information that poses a threat to US federal organizations.

Microsoft, a Redmond, Washington-based firm, is mostly responsible for the cybersecurity of federal employees' work since the entire US government uses its Windows operating system, Outlook email, and other apps. As a result, a breach involving the tech giant can potentially involve the government.   

Related Article: Microsoft to Release AI-Powered Cybersecurity Tool