close
close

Expert warns of phishing bug that puts 400,000,000 email users at risk

Illustrations of Apple IOS applications
The Apple Mail application icon is seen on the home screen of an iPhone in Warsaw, Poland on March 3, 2021. (Photo by Jaap Arriens/NurPhoto via Getty Images)

A security expert has warned email users about a bug that allows cybercriminals to make phishing attacks look much more credible, tricking victims into clicking on malicious links.

Vsevolod Kokorin, who goes by the online name Slonser, has discovered a bug that allows anyone to spoof Microsoft corporate accounts (those ending in @microsoft.com). To show how convincing it looked, he sent emails that appeared to come from [email protected], where many would trust and follow instructions.

However, hackers often spoof email addresses to gain the trust of their victims by making messages appear realistic. The email usually asks the recipient to click on a link, which takes them to a malicious website.

At this point, depending on the scam, the system may trick them into handing over sensitive information, such as passwords or banking details, or downloading malware onto their device.

This is known as a phishing attack.

Mr Kokorin said he reported the bug to Microsoft, which initially said it could not reproduce his findings and was not investigating it further.

However, yesterday he said on X, formerly Twitter, that the tech giant had acknowledged the problem.

Speaking to the website TechCrunch on Wednesday, Mr Kokorin said: ‘Microsoft just said they couldn’t reproduce it without providing any details. Microsoft may have noticed my tweet because a few hours ago they reopened one of my reports I submitted several months ago.”

He added that the bug only works when sending emails directly to Outlook accounts, and not with other providers such as Gmail or Yahoo.

Outlook app badge
The bug targets Outlook users (Photo: Getty)

However, there are approximately 400 million users of Outlook, meaning it still poses a significant threat.

Scammers will often try to create a sense of urgency in their victims, urging them to act quickly on whatever issue is raised in the email, rather than taking their time and talking about it thinking. Anyone who receives an email alerting them to issues that require urgent or immediate attention should be wary and, if in doubt, contact the company directly, rather than clicking on links in unsolicited emails.

Metro.co.uk has contacted Microsoft for comment.

MORE: Most Common Pop Culture Passwords Revealed – Is Yours on the List?

MORE: Half a billion Ticketmaster customers’ data reportedly stolen in major hack

MORE: Microsoft is under investigation for a very creepy new feature

Related Posts