If you use Hotmail you’re at risk from very convincing scams
A security expert has warned email users over a bug that allows cybercriminals to make phishing attacks look far more credible, helping trick victims into clicking on malicious links.
Vsevolod Kokorin, who goes by Slonser online, found a bug that allows anyone to spoof Microsoft corporate accounts – those ending in @microsoft.com. To show how convincing it looked, he sent emails that appeared to come from security@microsoft.com, which many would trust and follow instructions from.
However, hackers often spoof, or forge, email addresses to earn the trust of their victims by making messages appear realistic. The email will usually ask the recipient to click on a link, which directs them to a malicious website.
At this point, depending on the scam, it may then trick them into handing over sensitive information, such as passwords or banking details, or download malware onto their device.
This is known as a phishing attack.
Mr Kokorin said he reported the bug to Microsoft, which initially said it was unable to reproduce his findings and did not investigate further.
However, yesterday he said on X, formerly Twitter, that the tech giant had acknowledged the issue.
Speaking to the website TechCrunch on Wednesday, Mr Kokorin said: ‘Microsoft just said they couldn’t reproduce it without providing any details. Microsoft might have noticed my tweet because a few hours ago they reopen [sic] one of my reports that I had submitted several months ago.’
He added that the bug only works when sending emails directly to Outlook accounts, and not other providers such as Gmail or Yahoo.
However, there are around 400 million users of Outlook, meaning it still poses a significant threat.
Scammers will often try to instill a sense of urgency in their victims, urging them to act quickly to whatever issue is raised in the email, rather than taking time and thinking it through. Anyone receiving an email alerting them to issues that need urgent or immediate attention should be wary, and if in doubt, contact the company directly, rather than clicking on links in unsolicited emails.
Metro.co.uk has contacted Microsoft for comment.