Scammers Could Send Emails 'From Microsoft'

John Lister's picture

A particularly embarrassing bug makes it easy to send emails that appear to be from Microsoft employees. It's bad news for the public as it could make phishing scams appear more credible.

The good news is that it only works if the recipient is using Outlook, though "good" is a comparative term because there are over 400 million Outlook users worldwide. (Source:

Users Asked to Remain Vigilant

Exactly how the bug works and where its found still isn't known, as the security researcher says they do not want to give details that could help potential attackers exploit the bug on a much larger scale.

It's unclear whether the bug would let an attacker send a message seemingly from only a Microsoft account, or if that's simply the embarrassing example used to highlight the issue.

With details so vague, it's tough to say exactly what to watch for. As such we're recommending that Outlook users be extra careful about clicking on any emails that purport to be from Microsoft - especially any asking you to "validate your information," for example.

Microsoft "Can't Reproduce" Bug

The researcher says they discovered the bug and reported it to Microsoft but was simply told Microsoft could not reproduce the vulnerability. The researcher sent a video demonstrating how to pull off an attack but got the same reply.

TechCrunch says it asked the researcher for more details and was sent a demonstration email which did indeed appear to come "from Microsoft's account security team." (Source:

The researcher says that since he went public, Microsoft has engaged with him and acknowledge the issue. The bug itself appears to still be unpatched.

Phishing Bonanza

Even if the bug is only restricted to spoofing Microsoft emails, it's still has some significant potential for abuse, particularly given targets would be running Outlook. It's very easy to imagine scammers sending messages that appeared to be from Microsoft and include false claims about the user's account being at risk.

From there, the scammer could either trick the user into opening an attachment that supposedly included a fix, or link them to a look-alike website and ask them to confirm their Outlook login details. That could give access to an email account, something that could not only reveal sensitive or personal information, but could make it much easier to breach the user's other online accounts, for example by exploiting forgotten password requests.

What's Your Opinion?

Do you use Outlook? Would you be suspicious of a message from a Microsoft address? Is it realistic to expect Microsoft to explore every bug report in depth?

Rate this article: 
Average: 5 (8 votes)


LouisianaJoe's picture

In the 80's I wrote a Windows case tracking application for an Appellate Court. One of the functions in that program was to inform attorneys for a case by email informing them of activity on a case. The program was written in VB and used a mail API to specify the email of the sender and the recipient. It used a Court specific email address for the sender. As far as I know, that code is still in use.